Re: [Freeipa-users] Trying to trace why a user cannot login to a client
Steven Jones wrote: > Hi, > > I removed jonesst1 from the user group, then jonesst1 cannot login, so > jonesst1 is using user group and HBAC to login as is thingput it back > and jonesst1 works again... > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May > 2012 3:47 p.m. > Cc: freeipa-users@redhat.com > Subject: [Freeipa-users] Trying to trace why a user cannot login to a > client > > I have a user jonesst1 which can login to a workstation fine, but a second > user thing cannot, here is the secure log output, > > = > May 1 15:45:49 vuwunicorh6ws04 login: pam_unix(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=jonesst1 > May 1 15:45:50 vuwunicorh6ws04 login: pam_unix(login:session): session > opened for user jonesst1 by LOGIN(uid=0) May 1 15:45:50 vuwunicorh6ws04 > login: LOGIN ON tty1 BY jonesst1 > May 1 15:45:52 vuwunicorh6ws04 login: pam_unix(login:session): session > closed for user jonesst1 May 1 15:45:55 vuwunicorh6ws04 login: PAM unable > to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: > cannot open shared object file: No such file or directory May 1 15:45:55 > vuwunicorh6ws04 login: PAM adding faulty module: > /lib64/security/pam_fprintd.so May 1 15:46:00 vuwunicorh6ws04 login: > pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 > tty=tty1 ruser= rhost= user=thing May 1 15:46:00 vuwunicorh6ws04 login: > pam_sss(login:auth): system info: [Decrypt integrity check failed] May 1 > 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=thing May > 1 15:46:00 vuwunicorh6ws04 login: pam_sss(login:auth): received for user > thing: 4 (System error) May 1 15:46:03 vuwunicorh6ws04 login: FAILED > LOGIN 1 FROM (null) FOR thing, Authentication failure = This looks like system error in SSSD, could you please try to reproduce the issue again and send us SSSD log files with reasonable debug level (let's say 7)? Thanks Jan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
I don't see anything much more useful in the log file. The last line in the traceback suggests there is something wrong with connection to your KDC, does the connection to it work from other machines? Also, just out of curiosity about the SSH error message - what version of SSSD do you have installed? Thanks Jan Steven Jones wrote: > encl ipa install log > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 1 May > 2012 2:22 p.m. > Cc: freeipa-users@redhat.com > Subject: [Freeipa-users] ipa-client install error > > I made a slight oops, I just upgraded a long un-used vm on my desktop from > 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite > is down I cant correct this so I tried to add the 6.3beta client to IPA on > 6.2 and I get an error. > > == > [root@rhel664ws01 ~]# ipa-client-install --mkhomedir > Discovery was successful! > Hostname: rhel664ws01.ods.vuw.ac.nz > Realm: ODS.VUW.AC.NZ > DNS Domain: ods.vuw.ac.nz > IPA Server: vuwunicoipam002.ods.vuw.ac.nz > BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admjonesst1 > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Password for admjones...@ods.vuw.ac.nz: > > Enrolled in IPA realm ODS.VUW.AC.NZ > Created /etc/ipa/default.conf > Unable to activate the SSH service in SSSD config. > Please make sure you have SSSD built with SSH support installed. > Configure SSH support manually in /etc/sssd/sssd.conf. > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 1534, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 1521, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 1358, in install > api.Backend.xmlclient.connect() > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect conn = self.create_connection(*args, **kw) > File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in > create_connection raise errors.KerberosError(major=str(krberr), minor='') > ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos > credentials/ [root@rhel664ws01 ~]# > === > > Is this expected when trying to connect 6.3beta? ie its simply not > compatible? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem when SSHing into FreeIPA client
Dmitri Pal wrote: > On 10/19/2011 04:05 PM, Dan Scott wrote: > > Hi, > > > > I am having some problems when SSHing into my Fedora 15 client which > > is authenticated using FreeIPA > > > > djscott@pc35:~$ ssh admin@pc35 > > admin@pc35's password: > > id: cannot find name for user ID 181260 > > id: cannot find name for user ID 181260 > > [I have no name!@pc35 ~]$ logout > > Connection to pc35 closed. > > > > I've attached the output from /var/log/secure and my sssd.conf > > (santitzed) > > > > When running as my user, everything appears OK. The 'id' command > > returns the correct groups for my user and for the admin user: > > > > djscott@pc35:~$ id admin > > uid=181260(admin) gid=181260(admins) > > groups=181260(admins),1115(svnadmins) > > > > Any ideas what could be wrong? > > > > Does anyone have an example of a 'clean' sssd.conf for a standard > > FreeIPA configured client? I think mine has been modified so much that > > it's probably full of unnecessary junk. > > The simples way to get to the canonical sssd.conf is probably to > uninstall the client and re-install it again. > Please use ipa-client-install --uninstall to uninstall and then > ipa-client-install to enroll. If this doesn't work, could you please send sanitized log files of SSSD? > > > I'm running the latest FreeIPA and SSSD packages: > > > > djscott@pc35:~$ rpm -qa|grep "freeipa-client\|sssd" > > sssd-client-1.5.13-1.fc15.2.x86_64 > > freeipa-client-2.1.0-1.fc15.x86_64 > > sssd-1.5.13-1.fc15.2.x86_64 > > sssd-tools-1.5.13-1.fc15.2.x86_64 > > djscott@pc35:~$ > > > > Thanks, > > > > Dan > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users