Re: [Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others
On 10/11/2012 05:56 AM, Jakub Hrozek wrote: > On Thu, Oct 11, 2012 at 02:44:04AM -0700, Joe Linoff wrote: >> I am not sure how to debug this. > I would start with attaching the relevant contents of /var/log/secure. > Do they differ on the host that succeeds vs the one that fails? > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users May be host resolves itself to a different name than you expect/provide in the hbactest? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others
On Thu, Oct 11, 2012 at 02:44:04AM -0700, Joe Linoff wrote: > I am not sure how to debug this. I would start with attaching the relevant contents of /var/log/secure. Do they differ on the host that succeeds vs the one that fails? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others
Hi: I am using free-ipa 2.2 to manage LDAP/DNS for about a dozen CentOS 6.3 servers on a small network. I am having a problem where a user cannot log into a host even though "ipa hbactest" says the he is authorized. This user can log into other hosts where "ipa hbactest" says he is authorized. Here is the problem in a nutshell: # Works for host1 $ ssh user1@host1 user1@host1's password: Last login ... [user1@host1 ~] echo "SUCCESS" SUCCESS # Fails for host2 $ ssh user1@host2 Password: Permission denied (publickey, gssapi-keyex, gssapi-with-mic, keyboard-interactive). # hbactest $ ipa hbactest --user=user1 --host=host1 --service==sshd Access granted: True # hbactest $ ipa hbactest --user=user1 --host=host2 --service==sshd Access granted: True It seems that free-ipa thinks that everything is copacetic so there must be something different on the hosts. I looked at /etc/ssh/sshd.conf, /etc/nsswitch.conf and /etc/sssd/sssd.conf on both hosts but didn't see anything that looked out of whack. I also tried "ssh -vvv" but wasn't sure how to interpret the results. I am using an NFS automount /home setup so both are using the same ~/.ssh. I am not sure how to debug this. Do you know why the password prompt is different? That may be a clue. Can you suggest some other things that I can try? Any help would be greatly appreciated. Thank you. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users