Re: [Freeipa-users] User can't login via ssh from external
On Thu, Jul 26, 2012 at 09:12:35PM +, Steven Jones wrote: > Yes, > > So, I reset the password and that failed, so I added the user to my desktop > group logged in to my desktop with ssh localhost and set the password, then I > could log into the client fine. Other users had no problem logging in via > the HBAC rule > > This sort of behaviour is usually a pre-cursor to the replication totally > failing, on average it lasts about 2 weeks > > :( I'm sorry about the trouble but without more information it's hard for me to debug the problem. If you get hit by the problem in the future, can you: - test the HBAC rule with the "ipa hbactest" command - attach or paste the last couple of lines from the /var/log/secure file - attach or paste the relevant contents of /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$domain.log That should be enough info for us to start looking in the right direction. Thank you! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Yes, So, I reset the password and that failed, so I added the user to my desktop group logged in to my desktop with ssh localhost and set the password, then I could log into the client fine. Other users had no problem logging in via the HBAC rule This sort of behaviour is usually a pre-cursor to the replication totally failing, on average it lasts about 2 weeks :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Jakub Hrozek [jhro...@redhat.com] Sent: Thursday, 26 July 2012 8:01 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external On Thu, Jul 26, 2012 at 01:39:12AM +, Steven Jones wrote: > I am now getting this Steven, are you saying you can't login even though hbactest passes for your user? Can you then append or paste the last couple of lines of /var/log/secure and the relevat part of the SSSD domain log? Pasting the rules (sanitized) would help to replicate the problem, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
On Thu, Jul 26, 2012 at 01:39:12AM +, Steven Jones wrote: > I am now getting this Steven, are you saying you can't login even though hbactest passes for your user? Can you then append or paste the last couple of lines of /var/log/secure and the relevat part of the SSSD domain log? Pasting the rules (sanitized) would help to replicate the problem, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
On Wed, Jul 25, 2012 at 02:38:36PM -0700, Joe Linoff wrote: > > As Rob says, I think we should take a look at SSSD and system logs. > > > > > Can you paste or attach the couple of lines that are appended to > /var/log/secure during > > > the login attempt? That should give us a clue on whether the SSSD PAM > modules are contacted. > > > > > Can you also add "debug_level = 8" to the [pam] and [domain/$name] > sections of the SSSD, > > > restart the SSSD and paste or attach /var/log/sssd/sssd_pam.log and > /var/log/sssd/sssd_$name.log ? > > > Feel free to sanitize the logs before sending them out. > > > > Thank you. Unfortunately I am unable to reproduce the problem so I am > not sure that this is a good use of your time. If I find that I can > reproduce it, I will capture the logs and send them on. > > > > Does that make sense? Sure, I'm glad your setup works now. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
I am now getting this regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Joe Linoff [jlin...@tabula.com] Sent: Tuesday, 24 July 2012 10:04 a.m. To: Steven Jones Cc: freeipa-users@redhat.com; Joe Linoff Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Steve: Thank you for your suggestions. > In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using “ipa hbactest …”. It showed that the rules were correct. Do you think that the GUI might provide a different result? > Also what are the UIDS? IPA provided 32bit ones? or your own? The UID’s were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn’t seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? > I'd suggest re-setting that user's password and get them to login and reset > the password, that > works for me, it was a sign of bad/failed replication in my system I think > (now fixed). I tried that using kpasswd and “ipa passwd” to change the password but neither solved the problem. In both cases I was able to run “kinit new-user” and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
> As Rob says, I think we should take a look at SSSD and system logs. > Can you paste or attach the couple of lines that are appended to /var/log/secure during > the login attempt? That should give us a clue on whether the SSSD PAM modules are contacted. > Can you also add "debug_level = 8" to the [pam] and [domain/$name] sections of the SSSD, > restart the SSSD and paste or attach /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$name.log ? > Feel free to sanitize the logs before sending them out. Thank you. Unfortunately I am unable to reproduce the problem so I am not sure that this is a good use of your time. If I find that I can reproduce it, I will capture the logs and send them on. Does that make sense? Thank you for your suggestions and help. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
On Mon, Jul 23, 2012 at 06:22:55PM -0400, Rob Crittenden wrote: > Joe Linoff wrote: > >Hi Steve: > > > >Thank you for your suggestions. > > > > > In the gui you can do a hbac test of the rule. > > > >I ran the hbactest rule testing from the command line using “ipa > >hbactest …”. It showed that the rules were correct. Do you think that > >the GUI might provide a different result? > > No, the GUI and CLI share exactly the same backend code. > > > > Also what are the UIDS? IPA provided 32bit ones? or your own? > > > >The UID’s were provided by IPA. Actually during testing I also provided > >my own at one point but reverted back when that didn’t seem to make a > >difference. > > > >Can you explain why that might cause the problem? For example, would > >duplicates break the system or are there ranges of UIDs that are not legal? > > The issue is if the UIDS are < 1000 they are treated as local in sssd. > > > > I'd suggest re-setting that user's password and get them to login and > >reset the password, that > > > > > works for me, it was a sign of bad/failed replication in my system I > >think (now fixed). > > > >I tried that using kpasswd and “ipa passwd” to change the password but > >neither solved the problem. In both cases I was able to run “kinit > >new-user” and set the credentials using the new password but new-user > >could not ssh in. > > > >It was a really strange problem. It looks like something got out of sync > >but I could not (and cannot) figure out where. It is doubly difficult > >because removing and re-adding the user worked. In addition, adding > >other users worked. > > It could be that sssd cached something and wouldn't let it go, too. > If you can reproduce this it is probably worthwhile bump up the log > level and add pam debug logging to see what is happening. As Rob says, I think we should take a look at SSSD and system logs. Can you paste or attach the couple of lines that are appended to /var/log/secure during the login attempt? That should give us a clue on whether the SSSD PAM modules are contacted. Can you also add "debug_level = 8" to the [pam] and [domain/$name] sections of the SSSD, restart the SSSD and paste or attach /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$name.log ? Feel free to sanitize the logs before sending them out. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Rob: > The issue is if the UIDS are < 1000 they are treated as local in sssd. Ahh, of course, thanks. I never assigned any UIDs < 1000 (or less than 1 for that matter). > It could be that sssd cached something and wouldn't let it go, too. If you can reproduce > this it is probably worthwhile bump up the log level and add pam debug logging to see > what is happening. That is a great idea and it makes sense given what I was seeing. I will give it a try. I just wasn't sure which service I should be analyzing. Regards, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, July 23, 2012 3:23 PM To: Joe Linoff Cc: steven.jo...@vuw.ac.nz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Joe Linoff wrote: > Hi Steve: > > Thank you for your suggestions. > > > In the gui you can do a hbac test of the rule. > > I ran the hbactest rule testing from the command line using "ipa > hbactest ...". It showed that the rules were correct. Do you think that > the GUI might provide a different result? No, the GUI and CLI share exactly the same backend code. > > Also what are the UIDS? IPA provided 32bit ones? or your own? > > The UID's were provided by IPA. Actually during testing I also > provided my own at one point but reverted back when that didn't seem > to make a difference. > > Can you explain why that might cause the problem? For example, would > duplicates break the system or are there ranges of UIDs that are not legal? The issue is if the UIDS are < 1000 they are treated as local in sssd. > > I'd suggest re-setting that user's password and get them to login > and reset the password, that > > > works for me, it was a sign of bad/failed replication in my system > I think (now fixed). > > I tried that using kpasswd and "ipa passwd" to change the password but > neither solved the problem. In both cases I was able to run "kinit > new-user" and set the credentials using the new password but new-user > could not ssh in. > > It was a really strange problem. It looks like something got out of > sync but I could not (and cannot) figure out where. It is doubly > difficult because removing and re-adding the user worked. In addition, > adding other users worked. It could be that sssd cached something and wouldn't let it go, too. If you can reproduce this it is probably worthwhile bump up the log level and add pam debug logging to see what is happening. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Rob: Thank you for helping. > Are you performing a login between steps 3 and 5? Otherwise all that does is add > a member/memberof and then remove it. I don't see how this would affect anything. Hmmm, good point. I think that I was probably doing a "kinit" between steps 3 and 5 which would amount to the same thing, right? Regards, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, July 23, 2012 3:21 PM To: Joe Linoff Cc: sgall...@redhat.com; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Joe Linoff wrote: > Hi Folks: > > I managed to get the user working doing the following (all from the CLI): > > 1.Deleted the user (ipa user-del new-user) > > 2.Re-added the user > > 3.Add the user to administrator groups. > > 4.Changed/set the password. > > 5.Removed the administrator privileges. > > 6.Attempt report ssh login. > > Steps 3 and 5 are a hack but I can demonstrate that /not /doing them > causes the strange login problem. I can also show that the HBAC rules > are enforced properly after step 5 is run so this works for me. I just > don't understand why it is necessary. Are you performing a login between steps 3 and 5? Otherwise all that does is add a member/memberof and then remove it. I don't see how this would affect anything. rob > Thank you for all of your help and suggestions. > > Regards, > > Joe > > *From:*Joe Linoff > *Sent:* Monday, July 23, 2012 1:51 PM > *To:* sgall...@redhat.com; d...@redhat.com > *Cc:* freeipa-users@redhat.com; Joe Linoff > *Subject:* Re: [Freeipa-users] User can't login via ssh from external > > Hi Stephen and Dmitri: > > Thank you for the sshd GSSAPI configuration suggestion. I tried it > this morning but it didn't work. That particular user is still not > able to login. What is even more interesting is that I created a user > with the identical setup and the new user worked (i.e., they were able > to ssh in remotely). > > I am really confused by this because it does not appear to be a global > setup issue like ssh. It may be some sort of HBAC rule violation or > something else equally strange. I just can't figure it out. > > Can you suggest any other ways to troubleshoot this? > > > Thanks, > > Joe > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Joe Linoff wrote: Hi Steve: Thank you for your suggestions. > In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using “ipa hbactest …”. It showed that the rules were correct. Do you think that the GUI might provide a different result? No, the GUI and CLI share exactly the same backend code. > Also what are the UIDS? IPA provided 32bit ones? or your own? The UID’s were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn’t seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? The issue is if the UIDS are < 1000 they are treated as local in sssd. > I'd suggest re-setting that user's password and get them to login and reset the password, that > works for me, it was a sign of bad/failed replication in my system I think (now fixed). I tried that using kpasswd and “ipa passwd” to change the password but neither solved the problem. In both cases I was able to run “kinit new-user” and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. It could be that sssd cached something and wouldn't let it go, too. If you can reproduce this it is probably worthwhile bump up the log level and add pam debug logging to see what is happening. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
as below. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Joe Linoff [jlin...@tabula.com] Sent: Tuesday, 24 July 2012 10:04 a.m. To: Steven Jones Cc: freeipa-users@redhat.com; Joe Linoff Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Steve: Thank you for your suggestions. > In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using “ipa hbactest …”. It showed that the rules were correct. Do you think that the GUI might provide a different result? probably not > Also what are the UIDS? IPA provided 32bit ones? or your own? The UID’s were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn’t seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? === pam prevents any user with a UID <500 from logging in with ssh (that bit me last week). === > I'd suggest re-setting that user's password and get them to login and reset > the password, that > works for me, it was a sign of bad/failed replication in my system I think > (now fixed). I tried that using kpasswd and “ipa passwd” to change the password but neither solved the problem. In both cases I was able to run “kinit new-user” and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. == Yes, I had the same symptoms, removing and re-adding a user worked for me also but re-setting the user's password in the web ui also worked and its easier. It came down to failed replication I think, as now that is solved the issue has not re-appeared for users. == Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Joe Linoff wrote: Hi Folks: I managed to get the user working doing the following (all from the CLI): 1.Deleted the user (ipa user-del new-user) 2.Re-added the user 3.Add the user to administrator groups. 4.Changed/set the password. 5.Removed the administrator privileges. 6.Attempt report ssh login. Steps 3 and 5 are a hack but I can demonstrate that /not /doing them causes the strange login problem. I can also show that the HBAC rules are enforced properly after step 5 is run so this works for me. I just don’t understand why it is necessary. Are you performing a login between steps 3 and 5? Otherwise all that does is add a member/memberof and then remove it. I don't see how this would affect anything. rob Thank you for all of your help and suggestions. Regards, Joe *From:*Joe Linoff *Sent:* Monday, July 23, 2012 1:51 PM *To:* sgall...@redhat.com; d...@redhat.com *Cc:* freeipa-users@redhat.com; Joe Linoff *Subject:* Re: [Freeipa-users] User can't login via ssh from external Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn’t work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can’t figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Steve: Thank you for your suggestions. > In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using "ipa hbactest ...". It showed that the rules were correct. Do you think that the GUI might provide a different result? > Also what are the UIDS? IPA provided 32bit ones? or your own? The UID's were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn't seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? > I'd suggest re-setting that user's password and get them to login and reset the password, that > works for me, it was a sign of bad/failed replication in my system I think (now fixed). I tried that using kpasswd and "ipa passwd" to change the password but neither solved the problem. In both cases I was able to run "kinit new-user" and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Folks: I managed to get the user working doing the following (all from the CLI): 1. Deleted the user (ipa user-del new-user) 2. Re-added the user 3. Add the user to administrator groups. 4. Changed/set the password. 5. Removed the administrator privileges. 6. Attempt report ssh login. Steps 3 and 5 are a hack but I can demonstrate that not doing them causes the strange login problem. I can also show that the HBAC rules are enforced properly after step 5 is run so this works for me. I just don't understand why it is necessary. Thank you for all of your help and suggestions. Regards, Joe From: Joe Linoff Sent: Monday, July 23, 2012 1:51 PM To: sgall...@redhat.com; d...@redhat.com Cc: freeipa-users@redhat.com; Joe Linoff Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn't work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can't figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi, In the gui you can do a hbac test of the rule. Also what are the UIDS? IPA provided 32bit ones? or your own? I'd suggest re-setting that user's password and get them to login and reset the password, that works for me, it was a sign of bad/failed replication in my system I think (now fixed). regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Joe Linoff [jlin...@tabula.com] Sent: Tuesday, 24 July 2012 8:50 a.m. To: sgall...@redhat.com; d...@redhat.com Cc: Joe Linoff; freeipa-users@redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn’t work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can’t figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external
Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn't work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can't figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external source
On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote: > On 07/20/2012 03:03 PM, Joe Linoff wrote: > When you set the password on the server using the ipa passwd command > you make it know to the admin. This is why it is right away expired > and requires a change. > A user needs to log in through the client that allows changing the > password as a part of the authentication. > It looks like your ssh is not configured to do password change (I > suspect it uses GSSAPI but I might be wrong). > So either the ssh needs to be configured to do the password change > over the pam stack or you need to login as this user and change his > password and then you will be able to ssh. To clarify, what you need to do is make sure that the following options are set in /etc/ssh/sshd_config: UsePAM yes PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication yes ChallengeResponseAuthentication yes This should hopefully resolve the issue for you. Note: KerberosAuthentication is NOT the same as disabling the single-sign-on. That's done by GSSAPIAuthentication. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external source
On 07/20/2012 03:03 PM, Joe Linoff wrote: > > Hi Everybody: > > > > I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging > problem with a new user that I just setup. > > > > That user cannot ssh into any host on the realm from an external > source. They get a permission denied problem but "old-user" with the > same HBAC configuration works. > > > > % ssh -A -t -o Port=9346 new-u...@somehost.example.com > > new-u...@somehost.example.com's password: > > Permission denied, please try again. > > % ssh -A -t -o Port=9346 old-u...@somehost.example.com > > old-u...@somehost.example.com's password: > > Last login: ... > > [old-user@somehost ~]$ > > > > I checked their password by setting up a TGT using kinit. It worked. I > was also able to ssh into another host on the network. > > > > % kinit new-user > > Password for new-u...@example.com > > % ssh new-user@somehost > > Last login: ... > > Could not chdir to home directory ... > > -bash-4.1$ exit > > > > That seems to indicate that the password is correct and that the > permissions are correct but to be sure I ran an hbactest on the server: > > > > % ipa hbactest --user=new-user --service=ssh --host=somehost > > > > Access granted: True > > > > ... > > > > I did see something strange in /var/log/messages: > > > > Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity > check failed > > Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity > check failed > > Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity > check failed > > Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity > check failed > > Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired > > Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity > check failed > > Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired > > Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity > check failed > > > > So I reset the password using the ipa passwd command: > > > > % ipa passwd new-user > > New Password: > > Etner New Password again to verify: > > --- > > Changed password for new-u...@example.com > > -- > > > > But I am still getting the Permission denied error. > > > > What am I doing wrong? How can I debug this? Any help would be greatly > appreciated. > > > When you set the password on the server using the ipa passwd command you make it know to the admin. This is why it is right away expired and requires a change. A user needs to log in through the client that allows changing the password as a part of the authentication. It looks like your ssh is not configured to do password change (I suspect it uses GSSAPI but I might be wrong). So either the ssh needs to be configured to do the password change over the pam stack or you need to login as this user and change his password and then you will be able to ssh. > Thanks, > > > > Joe > > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users