On ma, 23 maalis 2020, Faraz Younus via FreeIPA-users wrote:
I enrolled my client using below command previously it was working
for
other old freeipa server with 3.0 version, Now I enrolled this client 3.0
version with new IPA server with version 4.6.
ipa-client-install --mkhomedir --server=ipa1.example.com --domain=example.com
So, what is the distribution and its version?
Your configuration below doesn't have any pam_sss mentioned, this seems
unlikely to be a proper ipa-client-install on RHEL/CentOS/Fedora
systems, even for very old versions.
Can you please provide /var/log/ipaclient-install.log?
*england-web-dev:/home/ansible # *cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
This configuration does not have pam_sss in it which means it is simply
not using any IPA integration and is not able to authenticate users from
IPA.
Do you also 'sss' in /etc/nsswitch.conf entries?
On Mon, Mar 23, 2020 at 1:14 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On ma, 23 maalis 2020, Faraz Younus via FreeIPA-users wrote:
> >I'm not getting logs on sssd while accessing ssh however I'm getting
logs
> >in secure logs, it is looking for linux user
>
> How did you enroll this machine? What distribution does it run?
>
> Then you need to check your pam configuration for ssh server to see what
> is there. On RHEL/Fedora it is /etc/pam.d/sshd. If it has
>
> auth substack password-auth
> auth include postlogin
>
> then /etc/pam.d/password-auth defines what authentication is used.
>
> There should be pam_sss mentioned.
>
> For details see manual page for pam.d(5).
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland