### Request for enhancement as a Linux admin i want to login into my ipa client with a user that is defined in ipa-server UI.
### Issue I installed Ipa-server and an Ipa-client on CentOS7.6 I defined Internal DNS on ipa-server and i defined A and PTR records for client on ipa-server. now i can see my client in ipa-UI and i defined a user with name "elham" and i expect that it can login into ipa-client. when i login with root in ipa-client and i do sudo elham, it works and kinit elham works too but when i do ssh into ipa-client with this user, it show "Access denied" i have errors with this context: pam_reply : authentication failure to the client pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
#### Steps to Reproduce 1. define new user "elham" in ipa UI 2. SSH to ipa-client with elham 3. access denied
#### Actual behavior (what happens)
#### Expected behavior login into ipa-client successfully
#### Version/Release/Distribution ipa-server 4.6.5-11.el7 ipa-client 4.6.4-10.el7.centos.3 Log files and config files are added below:
krb5.conf ------------ #File modified by ipa-client-install
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LSHS.DC dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true default_ccache_name = KEYRING:persistent:%{uid}
[realms] LSHS.DC = { kdc = ipa-irvlt01.example.dc:88 admin_server = ipa-irvlt01.example.dc:749 default_domain = example.dc } [domain_realm] .example.com = LSHS.DC example.com = LSHS.DC ############################################
sssd.conf ------------- [domain/example.dc]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.dc id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipacli-irvlt01.example.dc chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa-irvlt01.example.dc dyndns_iface = ens160 dns_discovery_domain = example.dc
debug_level = 10 [sssd] ########### AFTER IPA ################### #services = nss, sudo, pam, ssh services = nss, pam config_file_version = 2 ######################################### domains = example.dc
debug_level = 10 [nss] homedir_substring = /home
[pam] debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
On Wed, Oct 09, 2019 at 08:45:16AM -0000, Elhamsadat Azarian via FreeIPA-users wrote:
### Request for enhancement as a Linux admin i want to login into my ipa client with a user that is defined in ipa-server UI.
### Issue I installed Ipa-server and an Ipa-client on CentOS7.6 I defined Internal DNS on ipa-server and i defined A and PTR records for client on ipa-server. now i can see my client in ipa-UI and i defined a user with name "elham" and i expect that it can login into ipa-client. when i login with root in ipa-client and i do sudo elham, it works and kinit elham works too but when i do ssh into ipa-client with this user, it show "Access denied" i have errors with this context: pam_reply : authentication failure to the client pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
Please start here: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
#### Steps to Reproduce
- define new user "elham" in ipa UI
- SSH to ipa-client with elham
- access denied
#### Actual behavior (what happens)
#### Expected behavior login into ipa-client successfully
#### Version/Release/Distribution ipa-server 4.6.5-11.el7 ipa-client 4.6.4-10.el7.centos.3 Log files and config files are added below:
krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LSHS.DC dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true default_ccache_name = KEYRING:persistent:%{uid}
[realms] LSHS.DC = { kdc = ipa-irvlt01.example.dc:88 admin_server = ipa-irvlt01.example.dc:749 default_domain = example.dc } [domain_realm] .example.com = LSHS.DC example.com = LSHS.DC ############################################
sssd.conf
[domain/example.dc]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.dc id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipacli-irvlt01.example.dc chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa-irvlt01.example.dc dyndns_iface = ens160 dns_discovery_domain = example.dc
debug_level = 10 [sssd] ########### AFTER IPA ################### #services = nss, sudo, pam, ssh services = nss, pam config_file_version = 2 ######################################### domains = example.dc
debug_level = 10 [nss] homedir_substring = /home
[pam] debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I checked it but i couldnt solve it
On Wed, 9 Oct 2019, 12:30 Jakub Hrozek via FreeIPA-users, < freeipa-users@lists.fedorahosted.org> wrote:
On Wed, Oct 09, 2019 at 08:45:16AM -0000, Elhamsadat Azarian via FreeIPA-users wrote:
### Request for enhancement as a Linux admin i want to login into my ipa client with a user that is
defined in ipa-server UI.
### Issue I installed Ipa-server and an Ipa-client on CentOS7.6 I defined Internal DNS on ipa-server and i defined A and PTR records for
client on ipa-server.
now i can see my client in ipa-UI and i defined a user with name "elham"
and i expect that it can login into ipa-client.
when i login with root in ipa-client and i do sudo elham, it works and
kinit elham works too but
when i do ssh into ipa-client with this user, it show "Access denied" i have errors with this context: pam_reply : authentication failure to the client pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
Please start here: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
#### Steps to Reproduce
- define new user "elham" in ipa UI
- SSH to ipa-client with elham
- access denied
#### Actual behavior (what happens)
#### Expected behavior login into ipa-client successfully
#### Version/Release/Distribution ipa-server 4.6.5-11.el7 ipa-client 4.6.4-10.el7.centos.3 Log files and config files are added below:
krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LSHS.DC dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true default_ccache_name = KEYRING:persistent:%{uid}
[realms] LSHS.DC = { kdc = ipa-irvlt01.example.dc:88 admin_server = ipa-irvlt01.example.dc:749 default_domain = example.dc } [domain_realm] .example.com = LSHS.DC example.com = LSHS.DC ############################################
sssd.conf
[domain/example.dc]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.dc id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipacli-irvlt01.example.dc chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa-irvlt01.example.dc dyndns_iface = ens160 dns_discovery_domain = example.dc
debug_level = 10 [sssd] ########### AFTER IPA ################### #services = nss, sudo, pam, ssh services = nss, pam config_file_version = 2 ######################################### domains = example.dc
debug_level = 10 [nss] homedir_substring = /home
[pam] debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Have you made sure your “elham” user has the correct permissions to access the machines? Take a look in the UI at the groups/permissions that user elham has. Take a look at your HBAC rules as well. That would be my first recommendation to check if it was me.
-Kevin
On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
### Request for enhancement as a Linux admin i want to login into my ipa client with a user that is defined in ipa-server UI.
### Issue I installed Ipa-server and an Ipa-client on CentOS7.6 I defined Internal DNS on ipa-server and i defined A and PTR records for client on ipa-server. now i can see my client in ipa-UI and i defined a user with name "elham" and i expect that it can login into ipa-client. when i login with root in ipa-client and i do sudo elham, it works and kinit elham works too but when i do ssh into ipa-client with this user, it show "Access denied" i have errors with this context: pam_reply : authentication failure to the client pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
#### Steps to Reproduce
- define new user "elham" in ipa UI
- SSH to ipa-client with elham
- access denied
#### Actual behavior (what happens)
#### Expected behavior login into ipa-client successfully
#### Version/Release/Distribution ipa-server 4.6.5-11.el7 ipa-client 4.6.4-10.el7.centos.3 Log files and config files are added below:
krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LSHS.DC dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true default_ccache_name = KEYRING:persistent:%{uid}
[realms] LSHS.DC = { kdc = ipa-irvlt01.example.dc:88 admin_server = ipa-irvlt01.example.dc:749 default_domain = example.dc } [domain_realm] .example.com = LSHS.DC example.com = LSHS.DC ############################################
sssd.conf
[domain/example.dc]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.dc id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipacli-irvlt01.example.dc chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa-irvlt01.example.dc dyndns_iface = ens160 dns_discovery_domain = example.dc
debug_level = 10 [sssd] ########### AFTER IPA ################### #services = nss, sudo, pam, ssh services = nss, pam config_file_version = 2 ######################################### domains = example.dc
debug_level = 10 [nss] homedir_substring = /home
[pam] debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Kevin Vasko via FreeIPA-users wrote:
Have you made sure your “elham” user has the correct permissions to access the machines? Take a look in the UI at the groups/permissions that user elham has. Take a look at your HBAC rules as well. That would be my first recommendation to check if it was me.
Right, and the troubleshooting page suggests that (and increasing debug logging).
Please provide the output of the things you have already looked at.
rob
-Kevin
On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
### Request for enhancement as a Linux admin i want to login into my ipa client with a user that is defined in ipa-server UI.
### Issue I installed Ipa-server and an Ipa-client on CentOS7.6 I defined Internal DNS on ipa-server and i defined A and PTR records for client on ipa-server. now i can see my client in ipa-UI and i defined a user with name "elham" and i expect that it can login into ipa-client. when i login with root in ipa-client and i do sudo elham, it works and kinit elham works too but when i do ssh into ipa-client with this user, it show "Access denied" i have errors with this context: pam_reply : authentication failure to the client pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
#### Steps to Reproduce
- define new user "elham" in ipa UI
- SSH to ipa-client with elham
- access denied
#### Actual behavior (what happens)
#### Expected behavior login into ipa-client successfully
#### Version/Release/Distribution ipa-server 4.6.5-11.el7 ipa-client 4.6.4-10.el7.centos.3 Log files and config files are added below:
krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LSHS.DC dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true default_ccache_name = KEYRING:persistent:%{uid}
[realms] LSHS.DC = { kdc = ipa-irvlt01.example.dc:88 admin_server = ipa-irvlt01.example.dc:749 default_domain = example.dc } [domain_realm] .example.com = LSHS.DC example.com = LSHS.DC ############################################
sssd.conf
[domain/example.dc]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.dc id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipacli-irvlt01.example.dc chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa-irvlt01.example.dc dyndns_iface = ens160 dns_discovery_domain = example.dc
debug_level = 10 [sssd] ########### AFTER IPA ################### #services = nss, sudo, pam, ssh services = nss, pam config_file_version = 2 ######################################### domains = example.dc
debug_level = 10 [nss] homedir_substring = /home
[pam] debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org