On Thu, Oct 01, 2015 at 12:14:34PM +0000, markus....@mc.ingenico.com wrote:
> Dear @all,
>
>
>
> I´ve an issue with two, Oracle Linux based, clients and my freeipa server. I
> can authenticate on any on the enrolled machines but the two oracle server
> aren´t able to access sudo and I don´t know why.
~~~~~~~~~~~
What version of OEL and sssd?
>
> Here are a few thing I´ve already figured out.
>
>
>
> Both machines are enrolled from scratch and I see following entries in
> ldap_child.log
>
> (Thu Oct 1 12:51:52 2015) [[sssd[ldap_child[3933]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client
> 'host/<servername>@<domain>' not found in Kerberos database
>
> (Thu Oct 1 12:51:52 2015) [[sssd[ldap_child[3934]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client
> 'host/<servername>@<domain>' not found in Kerberos database
This looks like the enrollment is not correct, are you able to kinit -k
?
>
>
>
> Furthermore I get following entries in secure log
>
> pam_unix(sudo:auth): authentication failure; logname=<username> uid=957400001
> euid=0 tty=/dev/pts/1 ruser=<username> rhost= user=<username>
>
> pam_sss(sudo:auth): authentication failure; logname=<username> uid=957400001
> euid=0 tty=/dev/pts/1 ruser=<username> rhost= user=<username>
>
> pam_sss(sudo:auth): received for user <username>: 4 (System error)
You said you were able to authenticate, but here the authentication is
throwing system error. How did you authenticate, was it maye with ssh
keys?
Is that all you have in krb5_child.log? I don't see the child exiting in
the logs..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
