3:45 a.m.
### Request for enhancement
as a Linux admin i want to login into my ipa client with a user that is defined in
ipa-server UI.
### Issue
I installed Ipa-server and an Ipa-client on CentOS7.6
I defined Internal DNS on ipa-server and i defined A and PTR records for client on
ipa-server.
now i can see my client in ipa-UI and i defined a user with name "elham" and i
expect that it can login into ipa-client.
when i login with root in ipa-client and i do sudo elham, it works and kinit elham works
too but
when i do ssh into ipa-client with this user, it show "Access denied"
i have errors with this context:
pam_reply : authentication failure to the client
pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
#### Steps to Reproduce
1. define new user "elham" in ipa UI
2. SSH to ipa-client with elham
3. access denied
#### Actual behavior
(what happens)
#### Expected behavior
login into ipa-client successfully
#### Version/Release/Distribution
ipa-server 4.6.5-11.el7
ipa-client 4.6.4-10.el7.centos.3
Log files and config files are added below:
krb5.conf
------------
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LSHS.DC
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
LSHS.DC = {
kdc = ipa-irvlt01.example.dc:88
admin_server = ipa-irvlt01.example.dc:749
default_domain = example.dc
}
[domain_realm]
.example.com = LSHS.DC
example.com = LSHS.DC
############################################
sssd.conf
-------------
[domain/example.dc]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.dc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipacli-irvlt01.example.dc
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa-irvlt01.example.dc
dyndns_iface = ens160
dns_discovery_domain = example.dc
debug_level = 10
[sssd]
########### AFTER IPA ###################
#services = nss, sudo, pam, ssh
services = nss, pam
config_file_version = 2
#########################################
domains = example.dc
debug_level = 10
[nss]
homedir_substring = /home
[pam]
debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
3:59 a.m.
On Wed, Oct 09, 2019 at 08:45:16AM -0000, Elhamsadat Azarian via FreeIPA-users wrote:
### Request for enhancement
as a Linux admin i want to login into my ipa client with a user that is defined in
ipa-server UI.
### Issue
I installed Ipa-server and an Ipa-client on CentOS7.6
I defined Internal DNS on ipa-server and i defined A and PTR records for client on
ipa-server.
now i can see my client in ipa-UI and i defined a user with name "elham" and i
expect that it can login into ipa-client.
when i login with root in ipa-client and i do sudo elham, it works and kinit elham works
too but
when i do ssh into ipa-client with this user, it show "Access denied"
i have errors with this context:
pam_reply : authentication failure to the client
pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
Please start here:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
>
> #### Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
>
> #### Actual behavior
> (what happens)
>
> #### Expected behavior
> login into ipa-client successfully
>
> #### Version/Release/Distribution
> ipa-server 4.6.5-11.el7
> ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
>
>
>
> krb5.conf
> ------------
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> ############################################
>
>
> sssd.conf
> -------------
> [domain/example.dc]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
>
> debug_level = 10
> [sssd]
> ########### AFTER IPA ###################
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #########################################
> domains = example.dc
>
> debug_level = 10
> [nss]
> homedir_substring = /home
>
> [pam]
> debug_level = 10
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> ##########################################
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
4:57 a.m.
I checked it but i couldnt solve it
On Wed, 9 Oct 2019, 12:30 Jakub Hrozek via FreeIPA-users, <
freeipa-users(a)lists.fedorahosted.org> wrote:
On Wed, Oct 09, 2019 at 08:45:16AM -0000, Elhamsadat Azarian via
FreeIPA-users wrote:
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is
defined in ipa-server UI.
>
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for
client on ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham"
and i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and
kinit elham works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
>
> im tired of this issue. please help me if you know the solution.
Please start here:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
>
> #### Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
>
> #### Actual behavior
> (what happens)
>
> #### Expected behavior
> login into ipa-client successfully
>
> #### Version/Release/Distribution
> ipa-server 4.6.5-11.el7
> ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
>
>
>
> krb5.conf
> ------------
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> ############################################
>
>
> sssd.conf
> -------------
> [domain/example.dc]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
>
> debug_level = 10
> [sssd]
> ########### AFTER IPA ###################
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #########################################
> domains = example.dc
>
> debug_level = 10
> [nss]
> homedir_substring = /home
>
> [pam]
> debug_level = 10
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> ##########################################
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:06 a.m.
Have you made sure your “elham” user has the correct permissions to access the machines?
Take a look in the UI at the groups/permissions that user elham has. Take a look at your
HBAC rules as well. That would be my first recommendation to check if it was me.
-Kevin
> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is defined in
ipa-server UI.
>
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for client on
ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham"
and i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and kinit elham
works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
>
> im tired of this issue. please help me if you know the solution.
>
> #### Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
>
> #### Actual behavior
> (what happens)
>
> #### Expected behavior
> login into ipa-client successfully
>
> #### Version/Release/Distribution
> ipa-server 4.6.5-11.el7
> ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
>
>
>
> krb5.conf
> ------------
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> ############################################
>
>
> sssd.conf
> -------------
> [domain/example.dc]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
>
> debug_level = 10
> [sssd]
> ########### AFTER IPA ###################
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #########################################
> domains = example.dc
>
> debug_level = 10
> [nss]
> homedir_substring = /home
>
> [pam]
> debug_level = 10
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> ##########################################
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:49 a.m.
Kevin Vasko via FreeIPA-users wrote:
Have you made sure your “elham” user has the correct permissions to
access the machines? Take a look in the UI at the groups/permissions that user elham has.
Take a look at your HBAC rules as well. That would be my first recommendation to check if
it was me.
Right, and the troubleshooting page suggests that (and increasing debug
logging).
Please provide the output of the things you have already looked at.
rob
-Kevin
> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is defined in
ipa-server UI.
>
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for client on
ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham"
and i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and kinit elham
works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
>
> im tired of this issue. please help me if you know the solution.
>
> #### Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
>
> #### Actual behavior
> (what happens)
>
> #### Expected behavior
> login into ipa-client successfully
>
> #### Version/Release/Distribution
> ipa-server 4.6.5-11.el7
> ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
>
>
>
> krb5.conf
> ------------
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> ############################################
>
>
> sssd.conf
> -------------
> [domain/example.dc]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
>
> debug_level = 10
> [sssd]
> ########### AFTER IPA ###################
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #########################################
> domains = example.dc
>
> debug_level = 10
> [nss]
> homedir_substring = /home
>
> [pam]
> debug_level = 10
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> ##########################################
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1659
days inactive
1659
days old
freeipa-users@lists.fedorahosted.org
4 comments
4 participants
participants (4)
-
Elhamsadat Azarian -
Jakub Hrozek -
Kevin Vasko -
Rob Crittenden