Hi:
I am using free-ipa 2.2 to manage LDAP/DNS for about a dozen CentOS 6.3
servers on a small network. I am having a problem where a user cannot
log into a host even though ipa hbactest says the he is authorized.
This user can log into other hosts where ipa hbactest says he is
authorized.
Here is the problem in a nutshell:
# Works for host1
$ ssh user1@host1
user1@host1's password: top-secret
Last login ...
[user1@host1 ~] echo SUCCESS
SUCCESS
# Fails for host2
$ ssh user1@host2
Password: top-secret
Permission denied (publickey, gssapi-keyex, gssapi-with-mic,
keyboard-interactive).
# hbactest
$ ipa hbactest --user=user1 --host=host1 --service==sshd
Access granted: True
output snipped
# hbactest
$ ipa hbactest --user=user1 --host=host2 --service==sshd
Access granted: True
output snipped
It seems that free-ipa thinks that everything is copacetic so there must
be something different on the hosts.
I looked at /etc/ssh/sshd.conf, /etc/nsswitch.conf and
/etc/sssd/sssd.conf on both hosts but didn't see anything that looked
out of whack. I also tried ssh -vvv but wasn't sure how to interpret
the results. I am using an NFS automount /home setup so both are using
the same ~/.ssh.
I am not sure how to debug this.
Do you know why the password prompt is different? That may be a clue.
Can you suggest some other things that I can try?
Any help would be greatly appreciated.
Thank you.
Regards,
Joe
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
