I enrolled my client using below command previously it was working for other old freeipa server with 3.0 version, Now I enrolled this client 3.0 version with new IPA server with version 4.6.

ipa-client-install --mkhomedir --server=ipa1.example.com --domain=example.com 

Below are config currently on my client machine 

england-web-dev:/home/ansible # cat  /etc/pam.d/sshd


auth   required pam_sepermit.so

auth       include      password-auth

account    required     pam_nologin.so

account    include      password-auth

password   include      password-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open env_params

session    optional     pam_keyinit.so force revoke

session    include      password-auth

england-web-dev:/home/ansible # cat /etc/pam.d/password-auth


# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

On Mon, Mar 23, 2020 at 1:14 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ma, 23 maalis 2020, Faraz Younus via FreeIPA-users wrote:
>I'm not getting logs on sssd while accessing ssh however I'm getting logs
>in secure logs, it is looking for linux user

How did you enroll this machine? What distribution does it run?

Then you need to check your pam configuration for ssh server to see what
is there. On RHEL/Fedora it is /etc/pam.d/sshd. If it has

auth substack password-auth
auth include postlogin

then /etc/pam.d/password-auth defines what authentication is used.

There should be pam_sss mentioned.

For details see manual page for pam.d(5).
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland