Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts
On Mon, Jun 03, 2013 at 06:58:35AM +0200, Natxo Asenjo wrote: > On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham > wrote: > > > >> What I see is: > >> > >> fatal: Access denied for user admin by PAM account configuration > >> > >> What about disabling selinux? > > > > > > Whoops, I probably should have caught these myself. > > > > Disabling SELinux fixed one of the hosts. I didn't even look at it because I > > believed that I had disabled it previously. > > > > The other problem host didn't have SELinux enabled but was missing the > > /etc/selinux/targeted directory structure and was dropping an error: > > > > [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for > > SELinux data failed. /etc/selinux/targeted/logins/adminnik1F1(Sun Jun 2 > > 18:01:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 25 > > > > Everything's working fine now -- thanks for looking at those logs. > > glad it helped, but it should also work with selinux enabled. > > Could you try running restorecon -rv on /etc and /home at least, > re-enabling selinux and logging in again? For me and many others, it > works and it really is the new 'best practices' to have it on ;-) Did the directory /etc/selinux/targeted/logins/ exist at all? We've had a bug where if SELinux was disabled, the directory didn't exist and creating a temp file there failed. But from your e-mail it sounds like you actually had luck after disabling SELinux? Natxo's suggestion then would be a valid one, too, please let us know whether restorecon did change any contexts. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts
On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham wrote: > >> What I see is: >> >> fatal: Access denied for user admin by PAM account configuration >> >> What about disabling selinux? > > > Whoops, I probably should have caught these myself. > > Disabling SELinux fixed one of the hosts. I didn't even look at it because I > believed that I had disabled it previously. > > The other problem host didn't have SELinux enabled but was missing the > /etc/selinux/targeted directory structure and was dropping an error: > > [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for > SELinux data failed. /etc/selinux/targeted/logins/adminnik1F1(Sun Jun 2 > 18:01:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 25 > > Everything's working fine now -- thanks for looking at those logs. glad it helped, but it should also work with selinux enabled. Could you try running restorecon -rv on /etc and /home at least, re-enabling selinux and logging in again? For me and many others, it works and it really is the new 'best practices' to have it on ;-) -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts
> What I see is: > > fatal: Access denied for user admin by PAM account configuration > > What about disabling selinux? > Whoops, I probably should have caught these myself. Disabling SELinux fixed one of the hosts. I didn't even look at it because I believed that I had disabled it previously. The other problem host didn't have SELinux enabled but was missing the /etc/selinux/targeted directory structure and was dropping an error: [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/adminnik1F1(Sun Jun 2 18:01:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 25 Everything's working fine now -- thanks for looking at those logs. Best regards, Ryan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts
On Sun, Jun 2, 2013 at 9:49 PM, Ryan Cunningham wrote: > Hello, > > I've been evaluating FreeIPA in a lab environment prior to possibly rolling > it out in our enterprise but have been having issues with a few hosts > rejecting SSH logins for users authenticated against the FreeIPA server via > SSSD. > > All systems are running CentOS 6.4 with FreeIPA client/server 3.0.0 > installed from the base repo. The default RBAC rule to allow all users > access to all hosts is in effect, the only Kerberos/LDAP/SSSD/PAM > configuration changes that have been made on client machines (apart from > enabling debug logging) were done with `ipa-client-install --mkhomedir`. > > I enabled debug logging for SSSD and have included relevant bits from the > log files here: > https://gist.github.com/arg0sy/5694537 What I see is: fatal: Access denied for user admin by PAM account configuration I would compare the pam.d dir on systems where you can login to the one on systems you cannot log in to. What about disabling selinux? Anything strange on audit.log? Maybe the context of the homedir is not correct. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users