Hi everybody.
I have just upgraded my cluster from FreeIPA 4.4.0-14 to 4.6.4-10.
All is good, logging via IPA credentials, HBAC and sudo rules are working.
I have only a issue logging via SSH with AD credentials. Before the upgrade
all was working well.
I think that the trust is ok, because *kinit*, *ipa hbactest* and *ipa
trustdomain-find* (on both ipa servers) are working well:
*[root@mlv-ipasrv01 ~]# ipa trustdomain-find
MYDOMAIN.COM
<
http://MYDOMAIN.COM> Domain name:
mydomain.com <
http://mydomain.com>
Domain NetBIOS name: MYDOMAIN Domain Security Identifier:
S-1-5-21-3367759252-2451474351-126822339 Domain enabled:
True----------------------------Number of entries returned
1----------------------------[root@mlv-ipasrv01 ~]# ipa hbactest
--user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>
--host=mlv-testipa01.ipa.mydomain.com
<
http://mlv-testipa01.ipa.mydomain.com>Service:
sshd--------------------Access granted: True-------------------- Matched
rules: allow_ad_ipa_admins Not matched rules: allow_ad_ipa_apps Not
matched rules: allow_ipa_it_mysite[root@mlv-testipa01 ~]# kinit
morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Password for
morgan.marodin(a)mydomain.com
<morgan.marodin@mydomain.com>:[root@mlv-testipa01 ~]# klistTicket cache:
KEYRING:persistent:0:0Default principal: morgan.marodin(a)MYDOMAIN.COM
<morgan.marodin(a)MYDOMAIN.COM>Valid starting Expires
Service principal02/19/2019 17:55:23 02/20/2019 03:55:23
krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM <MYDOMAIN.COM(a)MYDOMAIN.COM> renew
until 02/20/2019 17:55:18*
This is the error log:
*[root@mlv-testipa01 ~]# tail -f /var/log/secureFeb 19 18:03:21
mlv-testipa01 sshd[378408]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252
user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Feb 19
18:03:21 mlv-testipa01 sshd[378408]: pam_sss(sshd:account): Access denied
for user morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>: 6
(Permission denied)Feb 19 18:03:21 mlv-testipa01 sshd[378401]: error: PAM:
User account has expired for morgan.marodin(a)mydomain.com
<morgan.marodin(a)mydomain.com> from 192.168.100.252Feb 19 18:03:21
mlv-testipa01 sshd[378401]: fatal: monitor_read: unpermitted request 104*
It seems a problem with pam and sssd.
Do you have any suggestions?
Thanks, bye.
Morgan