Re: [Freeipa-users] SSH auth failing in IPA trust
Hmm, can't get it to work, but right now it looks like I have other problems.. I'll try to follow up on this if the problem continues when I get the other problems solved. > > Can you clear the caches on the client? The client receives the principals > from the server the same way as it receives other attributes. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH auth failing in IPA trust
On Thu, Aug 04, 2016 at 03:39:26PM +0200, Troels Hansen wrote: > Hmm, was too fast. > > ldap_user_principal = nosuchattr > subdomain_inherit = ldap_user_principal > > Works, but ONLY from the IPA server. > > If I do the same from a client, I still get: > > (Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [get_and_save_tgt] > (0x0020): 1234: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos > database] > (Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [map_krb5_error] > (0x0020): 1303: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos > database] > (Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [k5c_send_data] > (0x0200): Received error code 1432158209 > > Any reason for this not working on a normal client ? Can you clear the caches on the client? The client receives the principals from the server the same way as it receives other attributes. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH auth failing in IPA trust
Hmm, was too fast. ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal Works, but ONLY from the IPA server. If I do the same from a client, I still get: (Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [get_and_save_tgt] (0x0020): 1234: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos database] (Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [map_krb5_error] (0x0020): 1303: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos database] (Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [k5c_send_data] (0x0200): Received error code 1432158209 Any reason for this not working on a normal client ? - On Aug 4, 2016, at 2:31 PM, Troels Hansen t...@casalogic.dk wrote: > Solved it myself. > > http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html > > Apparently its well known, and will be solved in 7.3 > > - On Aug 4, 2016, at 1:56 PM, Troels Hansen t...@casalogic.dk wrote: > >> Hmm, well, yes, it did: >> >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [unpack_buffer] >> (0x0100): >> cmd [249] uid [1349938498] gid [1349938498] validate [true] enterprise >> principal [false] offline [false] UPN [drext...@dr.dk] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [k5c_setup_fast] >> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to >> [host/ipa02tst.linux.dr...@linux.dr.dk] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18122 >> [set_canonicalize_option] >> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [set_lifetime_options] >> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [set_lifetime_options] >> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 >> [set_canonicalize_option] >> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [unpack_buffer] >> (0x0100): >> cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise >> principal [false] offline [false] UPN [drext...@dr.dk] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [unpack_buffer] >> (0x0100): >> ccname: [KEYRING:persistent:1349938498] old_ccname: >> [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [k5c_setup_fast] >> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to >> [host/ipa02tst.linux.dr...@linux.dr.dk] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [set_lifetime_options] >> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [set_lifetime_options] >> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 >> [set_canonicalize_option] >> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [get_and_save_tgt] >> (0x0020): 1234: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos >> database] >> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [map_krb5_error] >> (0x0020): 1303: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos >> database] >> >> and this is actually correct, because the UPN would be drext...@dr.dk. >> >> I found this: >> https://access.redhat.com/solutions/323373 >> >> However, setting ldap_user_principal in the domain part to something >> non-existing doesn't seem to work. >> >> >> - On Aug 4, 2016, at 1:22 PM, Jakub Hrozek jhro...@redhat.com wrote: >> >>> On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote: Hi, we have set up IPA in a AD trust and is about 90% done, but still have one problem using SSH login. Kerberos works: # kdestroy # kinit drext...@net.dr.dk Password for drext...@net.dr.dk: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: drext...@net.dr.dk Valid starting Expires Service principal 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/net.dr...@net.dr.dk renew until 08/05/2016 12:46:09 I can see the user: # getent passwd drext...@net.dr.dk drext...@net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: However, can't log in using SSH: login as: drext...@net.dr.dk drext...@net.dr.dk@ipa02tst.linux.dr.dk's password: Access denied When I look at the log files it looks correct, untill we receive a " be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success (System error)] " error, which I can't quite resolve or even verify if thats what's causing the problem. (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [2
Re: [Freeipa-users] SSH auth failing in IPA trust
Solved it myself. http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html Apparently its well known, and will be solved in 7.3 - On Aug 4, 2016, at 1:56 PM, Troels Hansen t...@casalogic.dk wrote: > Hmm, well, yes, it did: > > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [unpack_buffer] > (0x0100): > cmd [249] uid [1349938498] gid [1349938498] validate [true] enterprise > principal [false] offline [false] UPN [drext...@dr.dk] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/ipa02tst.linux.dr...@linux.dr.dk] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18122 > [set_canonicalize_option] > (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 > [set_canonicalize_option] > (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [unpack_buffer] > (0x0100): > cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise > principal [false] offline [false] UPN [drext...@dr.dk] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [unpack_buffer] > (0x0100): > ccname: [KEYRING:persistent:1349938498] old_ccname: > [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/ipa02tst.linux.dr...@linux.dr.dk] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 > [set_canonicalize_option] > (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [get_and_save_tgt] > (0x0020): 1234: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos > database] > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [map_krb5_error] > (0x0020): 1303: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos > database] > > and this is actually correct, because the UPN would be drext...@dr.dk. > > I found this: > https://access.redhat.com/solutions/323373 > > However, setting ldap_user_principal in the domain part to something > non-existing doesn't seem to work. > > > - On Aug 4, 2016, at 1:22 PM, Jakub Hrozek jhro...@redhat.com wrote: > >> On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote: >>> Hi, we have set up IPA in a AD trust and is about 90% done, but still have >>> one >>> problem using SSH login. >>> >>> Kerberos works: >>> # kdestroy >>> # kinit drext...@net.dr.dk >>> Password for drext...@net.dr.dk: >>> # klist >>> Ticket cache: KEYRING:persistent:0:0 >>> Default principal: drext...@net.dr.dk >>> >>> Valid starting Expires Service principal >>> 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/net.dr...@net.dr.dk >>> renew until 08/05/2016 12:46:09 >>> >>> >>> I can see the user: >>> >>> # getent passwd drext...@net.dr.dk >>> drext...@net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: >>> >>> However, can't log in using SSH: >>> >>> login as: drext...@net.dr.dk >>> drext...@net.dr.dk@ipa02tst.linux.dr.dk's password: >>> Access denied >>> >>> >>> When I look at the log files it looks correct, untill we receive a " >>> be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success >>> (System error)] " error, which I can't quite resolve or even verify if thats >>> what's causing the problem. >>> >>> >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] >>> (0x0010): unsupported PAM command [249]. >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] >>> (0x0010): password not available, offline auth may not work. >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] >>> (0x0100): Backend returned: (0, 0, ) [Success (Success)] >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] >>> (0x0100): Sending result [0][net.dr.dk] >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] >>> (0x0100): Sent result [0][net.dr.dk] >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] >>> (0x0100): Got >>> request with the following data >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): >>> command: PAM_AUTHENTICATE >>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): >>> domain:
Re: [Freeipa-users] SSH auth failing in IPA trust
Hmm, well, yes, it did: (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [unpack_buffer] (0x0100): cmd [249] uid [1349938498] gid [1349938498] validate [true] enterprise principal [false] offline [false] UPN [drext...@dr.dk] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa02tst.linux.dr...@linux.dr.dk] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18122 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [unpack_buffer] (0x0100): cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise principal [false] offline [false] UPN [drext...@dr.dk] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1349938498] old_ccname: [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa02tst.linux.dr...@linux.dr.dk] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [get_and_save_tgt] (0x0020): 1234: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos database] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18124 [map_krb5_error] (0x0020): 1303: [-1765328378][Client 'drext...@dr.dk' not found in Kerberos database] and this is actually correct, because the UPN would be drext...@dr.dk. I found this: https://access.redhat.com/solutions/323373 However, setting ldap_user_principal in the domain part to something non-existing doesn't seem to work. - On Aug 4, 2016, at 1:22 PM, Jakub Hrozek jhro...@redhat.com wrote: > On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote: >> Hi, we have set up IPA in a AD trust and is about 90% done, but still have >> one >> problem using SSH login. >> >> Kerberos works: >> # kdestroy >> # kinit drext...@net.dr.dk >> Password for drext...@net.dr.dk: >> # klist >> Ticket cache: KEYRING:persistent:0:0 >> Default principal: drext...@net.dr.dk >> >> Valid starting Expires Service principal >> 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/net.dr...@net.dr.dk >> renew until 08/05/2016 12:46:09 >> >> >> I can see the user: >> >> # getent passwd drext...@net.dr.dk >> drext...@net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: >> >> However, can't log in using SSH: >> >> login as: drext...@net.dr.dk >> drext...@net.dr.dk@ipa02tst.linux.dr.dk's password: >> Access denied >> >> >> When I look at the log files it looks correct, untill we receive a " >> be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success >> (System error)] " error, which I can't quite resolve or even verify if thats >> what's causing the problem. >> >> >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] >> (0x0010): unsupported PAM command [249]. >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] >> (0x0010): password not available, offline auth may not work. >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] >> (0x0100): Backend returned: (0, 0, ) [Success (Success)] >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] >> (0x0100): Sending result [0][net.dr.dk] >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] >> (0x0100): Sent result [0][net.dr.dk] >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): >> Got >> request with the following data >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): >> command: PAM_AUTHENTICATE >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): >> domain: net.dr.dk >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): >> user: drext...@net.dr.dk >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): >> service: sshd >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): >> tty: ssh >> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_pr
Re: [Freeipa-users] SSH auth failing in IPA trust
On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote: > Hi, we have set up IPA in a AD trust and is about 90% done, but still have > one problem using SSH login. > > Kerberos works: > # kdestroy > # kinit drext...@net.dr.dk > Password for drext...@net.dr.dk: > # klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: drext...@net.dr.dk > > Valid starting Expires Service principal > 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/net.dr...@net.dr.dk > renew until 08/05/2016 12:46:09 > > > I can see the user: > > # getent passwd drext...@net.dr.dk > drext...@net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: > > However, can't log in using SSH: > > login as: drext...@net.dr.dk > drext...@net.dr.dk@ipa02tst.linux.dr.dk's password: > Access denied > > > When I look at the log files it looks correct, untill we receive a " > be_pam_handler_callback] (0x0100): Backend returned: (0, 4, ) [Success > (System error)] " error, which I can't quite resolve or even verify if thats > what's causing the problem. > > > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] > (0x0010): unsupported PAM command [249]. > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] > (0x0010): password not available, offline auth may not work. > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success (Success)] > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] > (0x0100): Sending result [0][net.dr.dk] > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] > (0x0100): Sent result [0][net.dr.dk] > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): > Got request with the following data > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > command: PAM_AUTHENTICATE > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > domain: net.dr.dk > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > user: drext...@net.dr.dk > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > service: sshd > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > tty: ssh > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > ruser: > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > rhost: t01042.net.dr.dk > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > authtok type: 1 > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > priv: 1 > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > cli_pid: 17348 > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): > logon name: not set > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] > (0x0100): child [17356] finished successfully. > (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 4, ) [Success (System error)] Please take a look into krb5_child.log, it should have more hints on why the authentication failed. (This is documented at https://fedorahosted.org/sssd/wiki/Troubleshooting, section "Troubleshooting general authentication problems") -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project