Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
Hi Jakub, Please find the logs for the user test created in IPA. (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [1][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging sd.int (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pac (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pac replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service ssh replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service sd.int replied to ping (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:57 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Fri Mar 27 10:19:57 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Mar 27 10:19:57 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri Mar 27
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
No. This is the second attempt after changing the password on first login. If you want I can re-send you the logs but this is the second login logs of this user. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Fri, Mar 27, 2015 at 12:32 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Mar 27, 2015 at 10:28:13AM +0530, Yogesh Sharma wrote: Hi Jakub, Please find the logs for the user test created in IPA. (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [1][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging sd.int (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pac (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pac replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service ssh replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service sd.int replied to ping (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
On Fri, Mar 27, 2015 at 10:28:13AM +0530, Yogesh Sharma wrote: Hi Jakub, Please find the logs for the user test created in IPA. (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [1][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging sd.int (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pac (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pac replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service ssh replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service sd.int replied to ping (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:57 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Fri Mar 27 10:19:57 2015)
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
On Fri, Mar 27, 2015 at 5:58 AM, Yogesh Sharma yks0...@gmail.com wrote: (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [sss_krb5_cc_verify_ccache] (0x0020): 1078: [-1765328190][Credentials cache permissions incorrect] (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [check_old_ccache] (0x0040): Cannot check if saved ccache FILE:/tmp/krb5cc_131283_LTtoQU is valid (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [krb5_auth_send] (0x0020): check_if_ccache_file_is_used failed. (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' maybe this? Could you check what the permissions are on the kerberos cache file for this test user? -- regards, Natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
On Fri, Mar 27, 2015 at 12:34:57PM +0530, Yogesh Sharma wrote: No. This is the second attempt after changing the password on first login. If you want I can re-send you the logs but this is the second login logs of this user. Then it would be most interesting to see the logs of the password change, I wonder if something went wrong there. You said that if you change the password via kinit, then it's changed successfully, right? Does the wrong password change happen only on one certain host or do all behave the same? Did you configure the host using ipa-client-install or some manual method? I just tested a new user with centos 7 server and git head client and everything seemed to work fine.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
Yogesh Sharma wrote: Hi, We are getting error while trying to ssh using users created in IPA server. root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94 You don't have a Kerberos ticket and you don't have ssh keys for this user. kinit cm8158 first or get the ssh keys. You'll need to use the FQDN of the host as well, rather than th IP address, if using Kerberos. rob mailto:cm8158@52.74.84.94 OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 52.74.84.94 [52.74.84.94] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Incorrect RSA1 identifier debug3: Could not load /root/.ssh/id_rsa as a RSA1 public key debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host 52.74.84.94 from file /root/.ssh/known_hosts debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:89 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-...@openssh.com mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha...@libssh.org mailto:curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com mailto:ssh-rsa-cert-...@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-...@openssh.com mailto:ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com mailto:ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com mailto:ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com mailto:ssh-ed25519-cert-...@openssh.com,ssh-dss-cert-...@openssh.com mailto:ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com mailto:ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com mailto:aes128-...@openssh.com,aes256-...@openssh.com mailto:aes256-...@openssh.com,chacha20-poly1...@openssh.com mailto:chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se mailto:rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com mailto:aes128-...@openssh.com,aes256-...@openssh.com mailto:aes256-...@openssh.com,chacha20-poly1...@openssh.com mailto:chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se mailto:rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com mailto:hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com mailto:hmac-sha1-...@openssh.com,umac-64-...@openssh.com mailto:umac-64-...@openssh.com,umac-128-...@openssh.com mailto:umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com mailto:hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com mailto:hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com mailto:hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com mailto:hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com mailto:hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com mailto:umac...@openssh.com,umac-...@openssh.com mailto:umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com mailto:hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com mailto:hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com mailto:hmac-sha1-...@openssh.com,umac-64-...@openssh.com mailto:umac-64-...@openssh.com,umac-128-...@openssh.com mailto:umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
On Thu, 2015-03-26 at 15:42 +0530, Yogesh Sharma wrote: Hi, We are getting error while trying to ssh using users created in IPA server. root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94 You should use the machine's fully qualified name if you want to login using GSSAPI/Krb5, an IP address cannot be resolved to a proper key as keys are registerd into the KDC as host/machine.fully.qualified.name@REALM. It's the same thing as with HTTPS, the client need to know the name of the server in order to be able to properly communicate with it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
On Thu, Mar 26, 2015 at 07:47:34PM +0530, Yogesh Sharma wrote: Once I manually initialize the user Ticket on IPA Server using kinit username, I am able to login with and without FQDN. It's expected that IPA users are created with expired password. But SSSD should have prompted you for a password change if you logged in the first time you logged in with the expired password...as seen from the krb5_child.log, it got the correct response from the KDC.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. (Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625 [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired] (Thu Mar 26 19:30:55 2015) [[sssd[krb5_child[13625 [map_krb5_error] (0x0020): 1043: [-1765328360][Preauthentication failed] password expired? -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
Hi Jakub, SSSD prompted to change the password. After changing the password, when we try to ssh again using the new password, it failed. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 7:55 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Mar 26, 2015 at 07:47:34PM +0530, Yogesh Sharma wrote: Once I manually initialize the user Ticket on IPA Server using kinit username, I am able to login with and without FQDN. It's expected that IPA users are created with expired password. But SSSD should have prompted you for a password change if you logged in the first time you logged in with the expired password...as seen from the krb5_child.log, it got the correct response from the KDC.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
This message is coming as user is trying to login for first time. IPA Admin has set a password and when user try to login it will prompt to change. sssd log it as password expired. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 7:55 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. (Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625 [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired] (Thu Mar 26 19:30:55 2015) [[sssd[krb5_child[13625 [map_krb5_error] (0x0020): 1043: [-1765328360][Preauthentication failed] password expired? -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
On Thu, Mar 26, 2015 at 08:05:03PM +0530, Yogesh Sharma wrote: Hi Jakub, SSSD prompted to change the password. After changing the password, when we try to ssh again using the new password, it failed. And what do the logs say then, with the new password? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
I have tried with FQDN of host also as registered, but error remain same: (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [unpack_buffer] (0x0100): cmd [241] uid [131284] gid [131284] validate [true] enterprise principal [false] offline [false] UPN [te...@sd.int] (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_131284_XX] keytab: [/etc/krb5.keytab] (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ dns-inf-stg-sg1-01.sd@sd.int] (Thu Mar 26 19:43:02 2015) [[sssd[krb5_child[13730 [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired] (Thu Mar 26 19:43:06 2015) [[sssd[krb5_child[13730 [map_krb5_error] (0x0020): 1043: [-1765328360][Preauthentication failed] (Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [child_sig_handler] (0x0100): child [13730] finished successfully. (Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [ipa_get_migration_flag_done] (0x0100): Password migration is not enabled. (Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, NULL) [Success] Once I manually initialize the user Ticket on IPA Server using kinit username, I am able to login with and without FQDN. [root@ldap-inf-stg-sg1-01 lib]# kinit test1 Password for te...@sd.int: Password expired. You must change it now. Enter new password: Enter it again: Password change rejected: Password is too short Password not changed.. Please try again. Enter new password: Enter it again: root@yogesh-ubuntu-pc:/home/yogesh# ssh te...@dns-inf-stg-sg1-01.sd.int te...@dns-inf-stg-sg1-01.sd.int's password: Last login: Thu Mar 26 19:45:36 2015 from 125.63.90.34 -sh-4.1$ logout Connection to dns-inf-stg-sg1-01.sd.int closed. root@yogesh-ubuntu-pc:/home/yogesh# ssh test1@52.74.84.94 test1@52.74.84.94's password: Last login: Thu Mar 26 19:45:55 2015 from 125.63.90.34 -sh-4.1$ *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 7:42 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. === TEST user Login Logs: (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=test] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 125.63.90.34 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data]
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. === TEST user Login Logs: (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=test] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 125.63.90.34 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 13615 (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [3][1][name=test] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: sd.int (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 125.63.90.34 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 13615 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_pam_handler] (0x0100): Got