On Wed, Jul 29, 2020 at 02:11:43PM +0000, TOULMONDE Sébastien (CSC/MST) via FreeIPA-users
wrote:
Hi,
Yesterday we migrated our dev servers to IPA - to help in the migration, I enabled the
allow_all HBAC rule, but despite that, some users get this message:
Jul 29 15:56:23 el4966 sshd[98029]: Postponed keyboard-interactive for id094844 from
81.245.6.11 port 35552 ssh2 [preauth]
Jul 29 15:56:49 el4966 sshd[98034]: pam_sss(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=el1921.bc user=id094844
Jul 29 15:56:49 el4966 sshd[98034]: pam_sss(sshd:auth): received for user id094844: 6
(Permission denied) < ----- This
Jul 29 15:56:52 el4966 sshd[98029]: error: PAM: Authentication failure for id094844 from
el1921.bc
Jul 29 15:56:52 el4966 sshd[98029]: Failed keyboard-interactive/pam for id094844 from
81.245.6.11 port 35552 ssh2
Jul 29 15:56:58 el4966 sshd[98029]: Postponed keyboard-interactive for id094844 from
81.245.6.11 port 35552 ssh2 [preauth]
Jul 29 15:57:00 el4966 sshd[98029]: Connection closed by 81.245.6.11 port 35552
[preauth]
These are external (AD) users. Weird thing: not all users have this and not everywhere...
I tried to remove the LDAP filter on the IPA server -> same thing... I'm running
out of ideas...
Hi,
please set 'debug_level = 9' to the [domain/...] section in sssd.conf,
restart SSSD, try to authenticate again and check krb5_child.log and the
domain log for errors.
HTH
bye,
Sumit
Thanks for your help!
S. Toulmonde
Sensitivity: Internal Use Only
This e-mail cannot be used for other purposes than Proximus business use. See more on
https://www.proximus.be/maildisclaimer
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...