subject:"\[Freeipa\-users\] Users can't login on some systems."

Re: [Freeipa-users] Users can't login on some systems.

2017-05-05 Thread Jakub Hrozek

On Fri, May 05, 2017 at 11:58:42AM +, Lakshan Jayasekara wrote:
> Ipa user authentication failure on centos client. Login using a valid account 
> and login success for other ipa client servers. It would be great if you can 
> provide any hind or any modification to overcome the situation.

Things I'd try are:
- make sure the user resolves on the target system
- run ipa hbactest to see if the user should be permitted access
- check /var/log/secure and see what does pam_sss return
- increase debug_level in sssd.conf on the client and see what the sssd debug 
logs yield

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Users can't login on some systems.

2017-05-05 Thread Lakshan Jayasekara

Ipa user authentication failure on centos client. Login using a valid account 
and login success for other ipa client servers. It would be great if you can 
provide any hind or any modification to overcome the situation.


Below is the audit log

type=USER_START msg=audit(1493987877.034:112): pid=2333 uid=0 auid=0 ses=1 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open 
grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog
 acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 
terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1493987877.052:113): pid=2344 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy 
kind=server fp=ad:95:6a:ee:f6:9b:39:1c:e1:ea:1d:c4:04:8b:2d:6d direction=? 
spid=2344 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 
terminal=pts/0 res=success'
type=CRYPTO_KEY_USER msg=audit(1493987877.053:114): pid=2344 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy 
kind=server fp=ec:42:62:ce:a9:56:92:f3:0b:a2:9f:b2:eb:ca:f0:4c direction=? 
spid=2344 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 
terminal=pts/0 res=success'
type=CRYPTO_KEY_USER msg=audit(1493987877.053:115): pid=2344 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy 
kind=server fp=d2:56:9c:49:db:85:40:df:34:de:78:82:e5:fb:66:4e direction=? 
spid=2344 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 
terminal=pts/0 res=success'
type=USER_LOGIN msg=audit(1493987877.057:116): pid=2344 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 
exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 
terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1493987877.057:117): pid=2344 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 
exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 
terminal=/dev/pts/0 res=success'
type=CRED_REFR msg=audit(1493987877.063:118): pid=2344 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" 
hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1493987950.855:119): pid=2367 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=destroy kind=server fp=ad:95:6a:ee:f6:9b:39:1c:e1:ea:1d:c4:04:8b:2d:6d 
direction=? spid=2367 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.104.2 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1493987950.855:120): pid=2367 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=destroy kind=server fp=ec:42:62:ce:a9:56:92:f3:0b:a2:9f:b2:eb:ca:f0:4c 
direction=? spid=2367 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.104.2 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1493987950.856:121): pid=2367 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=destroy kind=server fp=d2:56:9c:49:db:85:40:df:34:de:78:82:e5:fb:66:4e 
direction=? spid=2367 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.104.2 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1493987950.859:122): pid=2366 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=start direction=from-server cipher=aes256-ctr ksize=256 mac=hmac-sha1 
pfs=diffie-hellman-group-exchange-sha256 spid=2367 suid=74 rport=50587 
laddr=192.168.220.5 lport=22  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.104.2 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1493987950.859:123): pid=2366 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha1 
pfs=diffie-hellman-group-exchange-sha256 spid=2367 suid=74 rport=50587 
laddr=192.168.220.5 lport=22  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.104.2 terminal=? res=success'
type=USER_AUTH msg=audit(1493988003.357:124): pid=2369 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=PAM:authentication grantors=? acct="lakshan_864" exe="/usr/sbin/sshd" 
hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1493988003.360:125): pid=2366 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=challenge-response acct="lakshan_864" exe="/usr/sbin/sshd" hostname=? 
addr=192.168.104.2 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1493988025.470:126): pid=2376 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=destroy kind=server fp=ad:95:6a:ee:f6:9b:39:1c:e1:ea:1d:c4:04:8b:2d:6d 
direction=? s

Re: [Freeipa-users] Users can't login on some systems.

2015-08-20 Thread Chris Mohler


Wow That totally fixed it!

Thanks again.

I simply stopped the sssd service removed the db and then started the 
sssd service again. My first attempt to login took a few seconds and was 
successful. I did not have to reinstall the client or even reboot the 
system.


FWIW I put the commands in a script

sssflush.sh

/sbin/initctl stop sssd
rm /var/lib/sss/db/*
/sbin/initctl start sssd

I've needed to do this a few times before.
A note to fellow Ubuntu users "service sssd stop" doesn't work when you 
put it in a script. Use /sbin/initctl instead.


-Chris

On 8/20/2015 7:19 PM, Prasun Gera wrote:
Did you clear out /var/lib/sss/db between re-installation of the 
client? There was a bug which might not have been fixed downstream yet.


On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler > wrote:


Hi List,
I'm still fairly new to this list and administrating FreeIPA.

I had a very old version of freeipa and had all sorts of odd
issues with it. I had 47 ubuntu clients attached to the domain.

I setup a newer freeipa server version: 4.1.4
I recreated all my user accounts by hand I did not migrate any of
them.
I then removed the 47 clients from the old domain

#ipa-client-install --uninstall

Then I reinstalled each client

#ipa-client-install --domain=cs.oberlin.edu
 --realm=CS.OBERLIN.EDU
 -p admin -W --hostname `hostname` -N

it finished without errors on all my systems.

two of my systems will not let any ipa users login via ssh or the
console. the rest of them work fine.
After keying in the password I get the following.

Permission denied, please try again.

id (username) shows the UID and GID and Groups correctly.
getent passwd shows only my local accounts I don't have enumerate on.
kinit also works.

_my auth.log shows this_
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
pam_sss(sshd:auth): received for user : 7 (Authentication failure)

I know it's the correct password as it works on the other clients.

_I get this in krb5_child.log_

[[sssd[krb5_child[10546 [unpack_buffer] (0x0100): cmd [241]
uid [66133] gid [100] validate [true] enterprise principal [false]
offline [false] UPN [@CS.OBERLIN.EDU ]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XX]
keytab: [/etc/krb5.keytab]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME]
from environment.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set
to [true]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/occs.cs.oberlin@cs.oberlin.edu
]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[match_principal] (0x1000): Principal matched to the sample
(host/occs.cs.oberlin@cs.oberlin.edu
).
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main]
(0x0400): Will perform online auth
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[tgt_req_child] (0x1000): Attempting to get a TGT
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[get_and_save_tgt] (0x0400): Attempting kinit for realm
[CS.OBERLIN.EDU ]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[validate_tgt] (0x0400): TGT verified using key for
[host/occs.cs.oberlin@cs.oberlin.edu
].
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[become_user] (0x0200): Trying to become user [66133][100].
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[k5c_send_data] (0x0200): Received error code 0
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main]
(0x0400): krb5_child completed successfully
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [main]
(0x0400): krb5_child started.
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616
[unpack_buffer] (0x1000): total buffer size: [127]
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616
[unpack_buffer] (0x0100): cmd [241] uid [66133] gid

Re: [Freeipa-users] Users can't login on some systems.

2015-08-20 Thread Chris Mohler


Thanks for the reply,
I did not clear out /var/lib/sss/db before re-installation.

I'll give it a try.
I'll stop the service clear the db then restart and see if that helps.

If not I'll uninstall the client remove the db and then reinstall the 
client.


Unless it's too late and anyone has a better idea.

-Chris

On 8/20/2015 7:19 PM, Prasun Gera wrote:
Did you clear out /var/lib/sss/db between re-installation of the 
client? There was a bug which might not have been fixed downstream yet.


On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler > wrote:


Hi List,
I'm still fairly new to this list and administrating FreeIPA.

I had a very old version of freeipa and had all sorts of odd
issues with it. I had 47 ubuntu clients attached to the domain.

I setup a newer freeipa server version: 4.1.4
I recreated all my user accounts by hand I did not migrate any of
them.
I then removed the 47 clients from the old domain

#ipa-client-install --uninstall

Then I reinstalled each client

#ipa-client-install --domain=cs.oberlin.edu
 --realm=CS.OBERLIN.EDU
 -p admin -W --hostname `hostname` -N

it finished without errors on all my systems.

two of my systems will not let any ipa users login via ssh or the
console. the rest of them work fine.
After keying in the password I get the following.

Permission denied, please try again.

id (username) shows the UID and GID and Groups correctly.
getent passwd shows only my local accounts I don't have enumerate on.
kinit also works.

_my auth.log shows this_
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
pam_sss(sshd:auth): received for user : 7 (Authentication failure)

I know it's the correct password as it works on the other clients.

_I get this in krb5_child.log_

[[sssd[krb5_child[10546 [unpack_buffer] (0x0100): cmd [241]
uid [66133] gid [100] validate [true] enterprise principal [false]
offline [false] UPN [@CS.OBERLIN.EDU ]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XX]
keytab: [/etc/krb5.keytab]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME]
from environment.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set
to [true]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/occs.cs.oberlin@cs.oberlin.edu
]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[match_principal] (0x1000): Principal matched to the sample
(host/occs.cs.oberlin@cs.oberlin.edu
).
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main]
(0x0400): Will perform online auth
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[tgt_req_child] (0x1000): Attempting to get a TGT
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[get_and_save_tgt] (0x0400): Attempting kinit for realm
[CS.OBERLIN.EDU ]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[validate_tgt] (0x0400): TGT verified using key for
[host/occs.cs.oberlin@cs.oberlin.edu
].
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[become_user] (0x0200): Trying to become user [66133][100].
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
[k5c_send_data] (0x0200): Received error code 0
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main]
(0x0400): krb5_child completed successfully
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [main]
(0x0400): krb5_child started.
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616
[unpack_buffer] (0x1000): total buffer size: [127]
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616
[unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate
[true] enterprise principal [false] offline [false] UPN
[@CS.OBERLIN.EDU ]

_sssd.conf on the broken machine_

[domain/cs.oberlin.edu ]
debug_level=8
cache_crede

Re: [Freeipa-users] Users can't login on some systems.

2015-08-20 Thread Prasun Gera

Did you clear out /var/lib/sss/db between re-installation of the client?
There was a bug which might not have been fixed downstream yet.

On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler  wrote:

> Hi List,
> I'm still fairly new to this list and administrating FreeIPA.
>
> I had a very old version of freeipa and had all sorts of odd issues with
> it. I had 47 ubuntu clients attached to the domain.
>
> I setup a newer freeipa server version: 4.1.4
> I recreated all my user accounts by hand I did not migrate any of them.
> I then removed the 47 clients from the old domain
>
> #ipa-client-install --uninstall
>
> Then I reinstalled each client
>
> #ipa-client-install --domain=cs.oberlin.edu --realm=CS.OBERLIN.EDU -p
> admin -W --hostname `hostname` -N
>
> it finished without errors on all my systems.
>
> two of my systems will not let any ipa users login via ssh or the console.
> the rest of them work fine.
> After keying in the password I get the following.
>
> Permission denied, please try again.
>
> id (username) shows the UID and GID and Groups correctly.
> getent passwd shows only my local accounts I don't have enumerate on.
> kinit also works.
>
> *my auth.log shows this*
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
> ruser= rhost=132.162.201.237  user=HIDDEN
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
> ruser= rhost=132.162.201.237 user=HIDDEN
> pam_sss(sshd:auth): received for user : 7 (Authentication failure)
>
> I know it's the correct password as it works on the other clients.
>
> *I get this in krb5_child.log*
>
> [[sssd[krb5_child[10546 [unpack_buffer] (0x0100): cmd [241] uid
> [66133] gid [100] validate [true] enterprise principal [false] offline
> [false] UPN [@CS.OBERLIN.EDU]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XX] keytab:
> [/etc/krb5.keytab]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [
> host/occs.cs.oberlin@cs.oberlin.edu]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [match_principal]
> (0x1000): Principal matched to the sample (
> host/occs.cs.oberlin@cs.oberlin.edu).
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main] (0x0400):
> Will perform online auth
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [CS.OBERLIN.EDU]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [validate_tgt]
> (0x0400): TGT verified using key for [
> host/occs.cs.oberlin@cs.oberlin.edu].
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [become_user]
> (0x0200): Trying to become user [66133][100].
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [k5c_send_data]
> (0x0200): Received error code 0
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main] (0x0400):
> krb5_child completed successfully
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [main] (0x0400):
> krb5_child started.
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [unpack_buffer]
> (0x1000): total buffer size: [127]
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [unpack_buffer]
> (0x0100): cmd [241] uid [66133] gid [100] validate [true] enterprise
> principal [false] offline [false] UPN [@CS.OBERLIN.EDU]
>
> *sssd.conf on the broken machine*
>
> [domain/cs.oberlin.edu]
> debug_level=8
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = cs.oberlin.edu
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = occs.cs.oberlin.edu
> chpass_provider = ipa
> ipa_server = _srv_, ipa1.cs.oberlin.edu
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
> debug_level=8
> domains = cs.oberlin.edu
> [nss]
> debug_level=8
> [pam]
> debug_level=8
> [sudo]
>
> [autofs]
>
> [ssh]
> debug_level=8
> [pac]
>
>
>
> *The broken systems sssd_nss.log *[nss_cmd_getpwnam_search] (0x0400):
> Returning info for user [hid...@cs.oberlin.edu]
> [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input
> [HIDDEN].
> [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN' matched
> without domain, user is HIDDEN
> [sssd[nss]] [sss_pars

[Freeipa-users] Users can't login on some systems.

2015-08-20 Thread Chris Mohler


Hi List,
I'm still fairly new to this list and administrating FreeIPA.

I had a very old version of freeipa and had all sorts of odd issues with 
it. I had 47 ubuntu clients attached to the domain.


I setup a newer freeipa server version: 4.1.4
I recreated all my user accounts by hand I did not migrate any of them.
I then removed the 47 clients from the old domain

#ipa-client-install --uninstall

Then I reinstalled each client

#ipa-client-install --domain=cs.oberlin.edu --realm=CS.OBERLIN.EDU -p 
admin -W --hostname `hostname` -N


it finished without errors on all my systems.

two of my systems will not let any ipa users login via ssh or the 
console. the rest of them work fine.

After keying in the password I get the following.

Permission denied, please try again.

id (username) shows the UID and GID and Groups correctly.
getent passwd shows only my local accounts I don't have enumerate on.
kinit also works.

_my auth.log shows this_
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=132.162.201.237  user=HIDDEN
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN

pam_sss(sshd:auth): received for user : 7 (Authentication failure)

I know it's the correct password as it works on the other clients.

_I get this in krb5_child.log_

[[sssd[krb5_child[10546 [unpack_buffer] (0x0100): cmd [241] uid 
[66133] gid [100] validate [true] enterprise principal [false] offline 
[false] UPN [@CS.OBERLIN.EDU]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [unpack_buffer] 
(0x0100): ccname: [FILE:/tmp/krb5cc_66133_XX] keytab: [/etc/krb5.keytab]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 
[set_lifetime_options] (0x0100): Cannot read 
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from 
environment.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [k5c_setup_fast] 
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to 
[host/occs.cs.oberlin@cs.oberlin.edu]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [match_principal] 
(0x1000): Principal matched to the sample 
(host/occs.cs.oberlin@cs.oberlin.edu).
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main] (0x0400): 
Will perform online auth
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [tgt_req_child] 
(0x1000): Attempting to get a TGT
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 
[get_and_save_tgt] (0x0400): Attempting kinit for realm [CS.OBERLIN.EDU]
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [validate_tgt] 
(0x0400): TGT verified using key for 
[host/occs.cs.oberlin@cs.oberlin.edu].
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [become_user] 
(0x0200): Trying to become user [66133][100].
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [k5c_send_data] 
(0x0200): Received error code 0
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546 [main] (0x0400): 
krb5_child completed successfully
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [main] (0x0400): 
krb5_child started.
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [unpack_buffer] 
(0x1000): total buffer size: [127]
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616 [unpack_buffer] 
(0x0100): cmd [241] uid [66133] gid [100] validate [true] enterprise 
principal [false] offline [false] UPN [@CS.OBERLIN.EDU]


_sssd.conf on the broken machine_

[domain/cs.oberlin.edu]
debug_level=8
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = cs.oberlin.edu
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = occs.cs.oberlin.edu
chpass_provider = ipa
ipa_server = _srv_, ipa1.cs.oberlin.edu
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
debug_level=8
domains = cs.oberlin.edu
[nss]
debug_level=8
[pam]
debug_level=8
[sudo]

[autofs]

[ssh]
debug_level=8
[pac]

_The broken systems sssd_nss.log

_[nss_cmd_getpwnam_search] (0x0400): Returning info for user 
[hid...@cs.oberlin.edu]
[sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input 
[HIDDEN].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN' matched 
without domain, user is HIDDEN
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain 
[(null)]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [HIDDEN] 
from []
[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for 
[NCE/USER/cs.oberlin.edu/HIDDEN]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for 
[hid...@cs.oberlin.edu]

[sssd[nss]] [check_cache] (0x0400): Cached entr

Re: [Freeipa-users] Users can't login on some systems.

[Freeipa-users] Users can't login on some systems.

Re: [Freeipa-users] Users can't login on some systems.

Re: [Freeipa-users] Users can't login on some systems.

Re: [Freeipa-users] Users can't login on some systems.

[Freeipa-users] Users can't login on some systems.

6 matches

Site Navigation

Mail list logo

Footer information