5:17 a.m.
After setting up my IPA environment, I am unable to log in successfully on some of my
Linux servers. When I check /var/log/secure for authentication logs, I see the errors
below
Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): authentication failure;
logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez
Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6
(Permission denied)
Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): authentication failure;
logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez
Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6
(Permission denied)
From the root user, I can switch to the user (daazeez) but when I try sudo, inputting
password return authentication failed
Host: oracle linux 7.4
IPA server: IPA, version: 4.9.8
2:28 a.m.
Am Fri, Dec 30, 2022 at 11:17:59AM -0000 schrieb Damola Azeez via FreeIPA-users:
After setting up my IPA environment, I am unable to log in
successfully on some of my Linux servers. When I check /var/log/secure for authentication
logs, I see the errors below
Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): authentication failure;
logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez
Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6
(Permission denied)
Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): authentication failure;
logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez
Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6
(Permission denied)
Hi,
typically you get 'Permission denied' during the authentication step
only if the user is locked on the server. But I guess this is not the
case here. Please check the SSSD logs in /var/log/sssd if you can find
any additional details which might help. If not you can enabled further
debugging output by adding 'debug_level = 9' to the [pam] and
[domain/...] sections in sssd.conf, restart SSSD and try su or sudo
again.
bye,
Sumit
From the root user, I can switch to the user (daazeez) but when I try sudo, inputting
password return authentication failed
Host: oracle linux 7.4
IPA server: IPA, version: 4.9.8
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
7:26 a.m.
Hi Sumit,
sssd_pam.log shiws the below
(2023-01-05 14:39:15): [pam] [sss_dp_get_reply] (0x0010): The Data Provider returned an
error [org.freedesktop.sssd.Error.DataProvider.Offline]
(2023-01-05 14:39:23): [pam] [sss_dp_get_reply] (0x0010): The Data Provider returned an
error [org.freedesktop.sssd.Error.DataProvider.Offline]
sssd_nss
========
(2022-12-07 16:21:14): [nss] [orderly_shutdown] (0x0010): SIGTERM: killing children
(2022-12-07 16:26:40): [nss] [orderly_shutdown] (0x0010): SIGTERM: killing children
(2022-12-07 16:58:53): [nss] [sss_dp_get_reply] (0x0010): The Data Provider returned an
error [org.freedesktop.sssd.Error.DataProvider.Offline]
sssd_<domain.com>
=================
(2022-12-07 16:21:34): [be[domain.com]] [id_callback] (0x0010): The Monitor returned an
error [org.freedesktop.DBus.Error.NoReply]
(2022-12-07 16:26:40): [be[domain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing
children
(2022-12-07 16:33:53): [be[domain.com]] [id_callback] (0x0010): The Monitor returned an
error [org.freedesktop.DBus.Error.NoReply]
7:42 a.m.
Here is the link to sssd_pam.log after setting debug value to 9
https://pastebin.com/embed_js/U345NVwA
11:55 p.m.
Am Thu, Jan 05, 2023 at 01:42:11PM -0000 schrieb Damola Azeez via FreeIPA-users:
Here is the link to sssd_pam.log after setting debug value to 9
https://pastebin.com/embed_js/U345NVwA
Hi,
the PAM responders receives
(2023-01-05 14:50:58): [pam] [pam_dp_process_reply] (0x0200): received: [6 (Permission
denied)][domain.com]
from the backend, so you have to check the log entries from the domain
log from around same time to see what made the backend return the error.
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
6:52 a.m.
Am Mon, Jan 09, 2023 at 12:36:35PM -0000 schrieb Damola Azeez via FreeIPA-users:
Hi,
here is the domain log from around the same time
https://pastebin.com/EBQzQ7d0
Hi,
thanks, looks like the error is coming from krb5_child:
(2023-01-05 14:50:58): [be[domain.com]] [write_pipe_handler] (0x0400): All data has been
sent!
(2023-01-05 14:50:58): [be[domain.com]] [child_sig_handler] (0x1000): Waiting for child
[22846].
(2023-01-05 14:50:58): [be[domain.com]] [child_sig_handler] (0x0100): child [22846]
finished successfully.
(2023-01-05 14:50:58): [be[domain.com]] [read_pipe_handler] (0x0400): EOF received, client
finished
(2023-01-05 14:50:58): [be[domain.com]] [_be_fo_set_port_status] (0x8000): Setting status:
PORT_NOT_WORKING. Called from: src/providers/krb5/krb5_auth.c: krb5_auth_done: 982
Please send krb5_child.log as well, especially covering PID 22846.
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
10:24 a.m.
Am Mon, Jan 09, 2023 at 02:06:44PM -0000 schrieb Damola Azeez via FreeIPA-users:
Hi,
Here is the krb5_child.log
https://pastebin.com/zkcSBhAJ
Hi,
(2023-01-05 14:50:58): [krb5_child[22846]] [get_and_save_tgt] (0x0020): 1709:
[-1765328347][Clock skew too great]
(2023-01-05 14:50:58): [krb5_child[22846]] [map_krb5_error] (0x0020): 1838:
[-1765328347][Clock skew too great]
please sync the clocks of client and server.
HTH
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
469
days inactive
481
days old
freeipa-users@lists.fedorahosted.org
9 comments
2 participants
participants (2)
-
Damola Azeez -
Sumit Bose