Hi list,

I'm pretty new to FreeIPA, playing with it since a few weeks only. I miss some experience troubleshooting and I'm currently stuck on a weird issue.

We installed 3 servers, each linked with the two others. We have about Linux servers and Linux workstations enrolled. The servers manage rights for several services, including an OpenVPN gateway.

OpenVPN is configured to auth through PAM, using a service named "vpn-users". HBAC rules allow legitimate users to authenticate or not against this service.

/etc/pam.d/vpn-users:

@include common-account

Everything was fine until I had to change my password because of expiration ... Since I changed it, I experience weird behavior. I'm admin, and HBAC allows anything to me. For resilience, I'm also a member of authorized vpn-users group. No change was made on the IPA servers at all beside normal user configuration.

Now, I can't anymore auth on our 'vpn-users' service. All other users are fine.

On the VPN server (Ubuntu 18.04), /var/log/auth.log :

Sep 19 13:41:46 stgi-01 openvpn[2676]: pam_sss(vpn-users:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=xxx
Sep 19 13:41:46 stgi-01 openvpn[2676]: pam_sss(vpn-users:auth): received for user xxx: 17 (Failure setting user credentials)

On the IPA servers (CentOS 7):

Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) x.x.x.x: NEEDED_PREAUTH: xxx@AUTH.EXAMPLE.COM for krbtgt/AUTH.EXAMPLE.COM@AUTH.EXAMPLE.COM, Additional pre-authentication required
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): closing down fd 11
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1452](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) x.x.x.x: NEEDED_PREAUTH: xxx@AUTH.EXAMPLE.COM for krbtgt/AUTH.EXAMPLE.COM@AUTH.EXAMPLE.COM, Additional pre-authentication required
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1452](info): closing down fd 11
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) x.x.x.x: PREAUTH_FAILED: xxx@AUTH.EXAMPLE.COM for krbtgt/AUTH.EXAMPLE.COM@AUTH.EXAMPLE.COM, Incorrect password in encrypted challenge
Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): closing down fd 11

IPA server packages:

ipa-common.noarch 0:4.5.4-10.el7.centos.3              ipa-server.x86_64 0:4.5.4-10.el7.centos.3
ipa-server-common.noarch 0:4.5.4-10.el7.centos.3       ipa-server-dns.noarch 0:4.5.4-10.el7.centos.3

Guess what ? Whatever it says, the password I use for this auth should be right ... ;)

I tried to force cache invalidation everywhere (OpenVPN server, all IPAs) using sss_cache -E. All servers were even rebooted ! I also changed again my password. Nothing does. I have access to all other services that authenticates on the IPAs (sudo, su, xdm login, etc.) using that password. This service is the only one that sucks.

Could anyone around help us understand what's going on ? I miss that VPN access ;)

Thanks in advance folks !