Re: [Freeipa-users] Issues after setup
[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd Access granted: True Matched rules: allow_all [root@freeipa ~]# └─ ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com -i /home/user/.ssh/key Connection closed by 54x.x.x.x (client server logs) Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): Access denied for user myuser: 4 (System error) Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for user client by PAM account configuration (client ipa versions) ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 (master ipa versions) [root@freeipa ~]# rpm -qa |grep ipa- ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 [root@freeipa ~]# On Thu, Apr 4, 2013 at 5:06 PM, KodaK sako...@gmail.com wrote: Run an hbactest: ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd Make sure that works, if it does, then you can move on to troubleshooting the host itself. On Thu, Apr 4, 2013 at 2:27 PM, Shawn taaj.sh...@gmail.com wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
Shawn wrote: [root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd Access granted: True Matched rules: allow_all [root@freeipa ~]# └─ ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com mailto:myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com -i /home/user/.ssh/key Connection closed by 54x.x.x.x (client server logs) Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): Access denied for user myuser: 4 (System error) Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for user client by PAM account configuration (client ipa versions) ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 (master ipa versions) [root@freeipa ~]# rpm -qa |grep ipa- ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 [root@freeipa ~]# An error is occurring somewhere which is why access is denied. This isn't HBAC, that looks like: pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied) You need to crank up debugging in sssd and see what its logs say. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote: Shawn wrote: [root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd Access granted: True Matched rules: allow_all [root@freeipa ~]# └─ ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com mailto:myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com -i /home/user/.ssh/key Connection closed by 54x.x.x.x (client server logs) Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): Access denied for user myuser: 4 (System error) Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for user client by PAM account configuration (client ipa versions) ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 (master ipa versions) [root@freeipa ~]# rpm -qa |grep ipa- ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 [root@freeipa ~]# An error is occurring somewhere which is why access is denied. This isn't HBAC, that looks like: pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied) You need to crank up debugging in sssd and see what its logs say. rob What SSSD version is there on the client? It's possible that it might be a similar issue to one Jan-Frode had with SELinux. Rob is right, please raise the debug_level in the [pam] and [domain] sections and attach or paste the relevant portions of (sanitized) logs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'staaj' matched without domain, user is staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user: staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: 50.59.202.7 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 23185 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/company-dev.com/staaj] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:st...@vocal-dev.com] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [company-dev.com][3][1][name=staaj] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb39fd0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:st...@company-dev.com] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0xb39fd0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: B35A10 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: company-dev.com (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user:staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: 50.59.202.7 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 23185 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb41990 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:st...@company-dev.com] only thing i see about selinux is here (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 30 # rpm -qa |grep sssd sssd-client-1.9.2-82.4.el6_4.x86_64 sssd-1.9.2-82.4.el6_4.x86_64 On Wed, Apr 10, 2013 at 2:15 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote: Shawn wrote: [root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd Access granted: True Matched rules: allow_all [root@freeipa ~]# └─ ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com mailto:myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com -i /home/user/.ssh/key Connection closed by 54x.x.x.x (client server logs) Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): Access denied for user myuser: 4 (System error) Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for user client by PAM account configuration (client ipa versions) ipa-admintools-3.0.0-26.el6_4.2.x86_64
Re: [Freeipa-users] Issues after setup
On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 30 I think this is the smoking gun. What state is SELinux in? (run sestate) Are there any AVC denials that would indicate the directory is mislabeled? What is the output of: # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
[root@freeclient1 sssd]# sestatus SELinux status: disabled [root@freeclient1 sssd]# ls -ldZ /etc/selinux/ drwxr-xr-x root root ?/etc/selinux/ [root@freeclient1 sssd]# On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 30 I think this is the smoking gun. What state is SELinux in? (run sestate) Are there any AVC denials that would indicate the directory is mislabeled? What is the output of: # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
Yep, sure does. Thanks much. If selinux is disabled, why does it care? On Wed, Apr 10, 2013 at 2:37 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Apr 10, 2013 at 02:34:06PM -0400, Shawn wrote: [root@freeclient1 sssd]# sestatus SELinux status: disabled [root@freeclient1 sssd]# ls -ldZ /etc/selinux/ drwxr-xr-x root root ?/etc/selinux/ [root@freeclient1 sssd]# I take it there is no directory /etc/selinux/targeted/logins (or /etc/selinux/targeted/ for that matter?) Does mkdir -p /etc/selinux/targeted/logins solve things for you? On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 30 I think this is the smoking gun. What state is SELinux in? (run sestate) Are there any AVC denials that would indicate the directory is mislabeled? What is the output of: # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins -- *- Shawn Taaj* -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
On Wed, Apr 10, 2013 at 02:49:46PM -0400, Shawn wrote: Yep, sure does. Thanks much. If selinux is disabled, why does it care? It's an SSSD bug: https://bugzilla.redhat.com/show_bug.cgi?id=914433 We didn't realize that SELinux disabled might mean that the directory is not there at all. Luckily there is a simple workaround. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
I am able to login to my replica and master with users no problem, just having issues with clients.. On Thu, Apr 4, 2013 at 3:27 PM, Shawn taaj.sh...@gmail.com wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
Shawn wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. Did you disable or remove the default allow_all HBAC rule? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
On Thu, Apr 04, 2013 at 03:27:37PM -0400, Shawn wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Hi Shawn, I would start with checking the HBAC rules using the ipa hbactest command. $ ipa hbactest --help might get you started. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issues after setup
Run an hbactest: ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd Make sure that works, if it does, then you can move on to troubleshooting the host itself. On Thu, Apr 4, 2013 at 2:27 PM, Shawn taaj.sh...@gmail.com wrote: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the hosts list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user username by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users