Hi,
I'm running a single server with multiple clients. The OS is Centos 7. When I installed the server, I created the accounts and then installed the clients. Overall, the installations went great, and I checked the clients that I could login with the new accounts that were created. All was going great. Time is synced with the server.
When I try to login to the FreeIPA server locally. It fails. I go to the login screen, type in my account name with domain, ex. admin1@MY.DOMAIN. It appears to be logging in, it tells me that there were no previous failed logins, etc., but then the screen goes back to the original login screen. No appearance of a failure other than it won't let me login. Any thoughts? What logs should I be looking at?
I can still login with the local accounts.
Thanks!
On Mon, Mar 23, 2020 at 05:37:07PM -0000, Scott Reed via FreeIPA-users wrote:
Hi,
I'm running a single server with multiple clients. The OS is Centos 7. When I installed the server, I created the accounts and then installed the clients. Overall, the installations went great, and I checked the clients that I could login with the new accounts that were created. All was going great. Time is synced with the server.
When I try to login to the FreeIPA server locally. It fails. I go to the login screen, type in my account name with domain, ex. admin1@MY.DOMAIN. It appears to be logging in, it tells me that there were no previous failed logins, etc., but then the screen goes back to the original login screen. No appearance of a failure other than it won't let me login. Any thoughts? What logs should I be looking at?
Hi,
can you check if the home-directory for admin1 was created during the login attempt?
bye, Sumit
I can still login with the local accounts.
Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
No, the home directory for admin1 was not created.
Scott
On Tue, Mar 24, 2020 at 11:59:59AM -0000, Scott Reed via FreeIPA-users wrote:
No, the home directory for admin1 was not created.
Hi,
so I guess a line like
session optional pam_oddjob_mkhomedir.so umask=0077
is missing in e.g /etc/pam.d/password-auth in the IPA server while it is present on the clients. Since it is not recommended to log in as "ordinary" user on the IPA servers it is not added by default.
If you call
authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
on the IPA server pam_oddjob_mkhomedir should be added at the needed places. But this should only be done if it is really necessary to log in to the IPA server as "ordinary" user. If only admin1 is needed it might be better to create the home directory manually.
HTH
bye, Sumit
Scott _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Sumit,
Why would I not want to login to the server with IPA accounts? I can control their access privileges with the IPA policies.
Thanks,
Scott
On Tue, Mar 24, 2020 at 02:54:53PM -0000, Scott Reed via FreeIPA-users wrote:
Sumit,
Why would I not want to login to the server with IPA accounts? I can control their access privileges with the IPA policies.
Hi,
sure, I just wanted to point out that pam_oddjob_mkhomedir.so is not strictly necessary on the IPA servers and that's why it is not enabled by default. If you prefer to have it on new servers you can use the '--mkhomedir' option with ipa-server-install.
bye, Sumit
Thanks,
Scott _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ti, 24 maalis 2020, Scott Reed via FreeIPA-users wrote:
Sumit,
Why would I not want to login to the server with IPA accounts? I can control their access privileges with the IPA policies.
This is fully under your control. See man page for ipa-server-install(1), it describes all options. You could have specified --mkhomedir when running original ipa-server-install and that would have configured automatic creation of the home directories on the local /home file system.
Since you didn't do that, you can follow Sumit's suggestion to enable on-demand home directory creation.
Note that it is still recommended to reduce access to IPA masters to only allow users that have need to access there. Your IPA masters are heart of your infrastructure, so be mindful on what operations regular users are allowed to do on the machines. Many attacks against core infrastructure are often based on proxying through mere users on other systems to get local access to more privileged resources.
Thanks. That answers my question.
freeipa-users@lists.fedorahosted.org