On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
> On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
>> hi guys
>>
>> I think it was asked on the list before but I still cannot find the thread.
>>
>> Should AD's users be able to login to IPA's clients(non-replica) in a
>> pretty vanilla setup? Those users can login to IPA masters okey.
>>
>> I have not created any HBACs yet, nor added new hostgroups etc.
>>
>> When I ssh to IPA's client that client denies that user & shows:
>>
>> pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
> Hi,
>
> 'Permission denied' is typically returned during the PAM access control
> step 'pam_sss(sshd:account)'. For auth there should be only a few cases
> like an expired unser in AD, but in this case login to the IPA masters
> shouldn't work as well.
>
> Please add 'debug_level=9' at least to the [pam] and [domain/...]
> section of sssd.conf on the client, restart SSSD, try to authentication
> and send the logs from /var/log/sssd.
>
> bye,
> Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh
auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs.
(Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000):
commit ldb transaction (nesting: 0)
(Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done]
(0x0100): Backend is marked offline, retry later!
(Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]]
[check_wait_queue] (0x1000): Wait queue for user [pawel(a)mine.private] is
empty.
..
does the above give out any clues?
Do you see a message like 'Timeout for child [1234] reached. In case KDC
is distant or network is slow you may consider increasing value of
krb5_auth_timeout.' before the ones you have send? If that's the case
please add
krb5_auth_timeout = 30
to the [domain/...] section of sssd.conf, restart SSSD and try again.
Please note that SSSD does more that just authenticating the user by
requesting a Kerberos ticket, the ticket is validate as well which
causes additional requests to the IPA server and AD DCs. This might need
a bit longer than the default timeout of 6s.
HTH
bye,
Sumit
many thanks, L.
>> ...
>>
>> many thanks, L.
>>
>> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>> 93059F241EEEE1D0769A85F455918ABF21224EBA
>> uid lejeczek <peljasz(a)yahoo.co.uk>
>> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
93059F241EEEE1D0769A85F455918ABF21224EBA
uid lejeczek <peljasz(a)yahoo.co.uk>
sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...