<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/20/2012 03:03 PM, Joe Linoff wrote:
<blockquote
cite="mid:8AD4194C251EC74CB897E261038F4478010E137C@mantaray.tabula.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Everybody:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am using FreeIPA 2.2.0 on CentOS 6.3 and
am having a challenging problem with a new user that I just
setup. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That user cannot ssh into any host on the
realm from an external source. They get a permission denied
problem but “old-user” with the same HBAC configuration works.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">% ssh -A -t -o Port=9346
<a class="moz-txt-link-abbreviated" href="mailto:new-user@somehost.example.com">new-user@somehost.example.com</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";"><a class="moz-txt-link-abbreviated" href="mailto:new-user@somehost.example.com">new-user@somehost.example.com</a>'s password: <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New"; color: rgb(192, 0, 0);">Permission denied, please
try again.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">% ssh -A -t -o Port=9346
<a class="moz-txt-link-abbreviated" href="mailto:old-user@somehost.example.com">old-user@somehost.example.com</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";"><a class="moz-txt-link-abbreviated" href="mailto:old-user@somehost.example.com">old-user@somehost.example.com</a>'s password: <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Last login: …<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">[old-user@somehost ~]$<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";"><o:p> </o:p></span></p>
<p class="MsoNormal">I checked their password by setting up a
TGT using kinit. It worked. I was also able to ssh into
another host on the network.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">% kinit new-user<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Password for <a class="moz-txt-link-abbreviated" href="mailto:new-user@EXAMPLE.COM">new-user@EXAMPLE.COM</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">% ssh new-user@somehost<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Last login: …<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Could not chdir to home directory …<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">-bash-4.1$ exit<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That seems to indicate that the password is
correct and that the permissions are correct but to be sure I
ran an hbactest on the server:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">% ipa hbactest --user=new-user --service=ssh
--host=somehost<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">--------------------<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Access granted: True<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">--------------------<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">…<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I did see something strange in
/var/log/messages:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:48:16 somehost
[sssd[krb5_child[16478]]]: Decrypt integrity check failed<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:48:16 somehost
[sssd[krb5_child[16478]]]: Decrypt integrity check failed<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:48:26 somehost
[sssd[krb5_child[16481]]]: Decrypt integrity check failed<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:48:26 somehost
[sssd[krb5_child[16481]]]: Decrypt integrity check failed<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:48:54 somehost
[sssd[krb5_child[16488]]]: Password has expired<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:48:55 somehost
[sssd[krb5_child[16488]]]: Decrypt integrity check failed<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:49:05 somehost
[sssd[krb5_child[16491]]]: Password has expired<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Jul 20 11:49:05 somehost
[sssd[krb5_child[16491]]]: Decrypt integrity check failed<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So I reset the password using the ipa
passwd command:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">% ipa passwd new-user<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">New Password:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Etner New Password again to verify:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">-------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">Changed password for <a class="moz-txt-link-abbreviated" href="mailto:new-user@EXAMPLE.COM">new-user@EXAMPLE.COM</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 10pt; font-family: "Courier
New";">------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But I am still getting the Permission
denied error.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What am I doing wrong? How can I debug
this? Any help would be greatly appreciated. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
When you set the password on the server using the ipa passwd command
you make it know to the admin. This is why it is right away expired
and requires a change.<br>
A user needs to log in through the client that allows changing the
password as a part of the authentication.<br>
It looks like your ssh is not configured to do password change (I
suspect it uses GSSAPI but I might be wrong).<br>
So either the ssh needs to be configured to do the password change
over the pam stack or you need to login as this user and change his
password and then you will be able to ssh.<br>
<br>
<blockquote
cite="mid:8AD4194C251EC74CB897E261038F4478010E137C@mantaray.tabula.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Joe<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>