<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/09/2015 08:34 AM, alireza baghery
wrote:<br>
</div>
<blockquote
cite="mid:CAPyvVhwg7xY=r9tRc2XK3srriAQs-Y+HTmDjm6AK3vJ0C9zJiA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>yes try "ssh admin@hostname" but do not work<br>
</div>
<div>====log secure-====<br>
<br>
Feb 9 15:42:20 ipasrv sshd[13414]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.30.160.20 user=admin<br>
Feb 9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.30.160.20 user=admin<br>
Feb 9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:account):
Access denied for user admin: 6 (Permission denied)<br>
Feb 9 15:42:20 ipasrv sshd[13414]: Failed password for admin
from 10.30.160.20 port 52123 ssh2<br>
Feb 9 15:42:20 ipasrv sshd[13415]: fatal: Access denied for
user admin by PAM account configuration<br>
<br>
</div>
</div>
</blockquote>
<br>
Do you have HBAC rules? Does admin have the rights to log via SSH?<br>
If you changed the default rules it might be that admin is not
allowed to log via ssh.<br>
<br>
<blockquote
cite="mid:CAPyvVhwg7xY=r9tRc2XK3srriAQs-Y+HTmDjm6AK3vJ0C9zJiA@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Feb 9, 2015 at 3:20 PM, Martin
Kosek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Did you
try the "ssh admin@`hostname`" command? It should show if
ssh to admin<br>
via SSSD&FreeIPA really works.<br>
<div class="HOEnZb">
<div class="h5"><br>
On 02/09/2015 11:18 AM, alireza baghery wrote:<br>
> account admin recognize and show uid gid and groups<br>
> On Feb 9, 2015 1:42 PM, "Martin Kosek" <<a
moz-do-not-send="true" href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>
wrote:<br>
><br>
>> Ok. When on the server, does<br>
>><br>
>> # id admin<br>
>><br>
>> or "ssh admin@`hostname`" work? Maybe it does
not recognize the admin<br>
>> user.<br>
>><br>
>> On 02/09/2015 09:29 AM, alireza baghery wrote:<br>
>>> ipasrv# Service SSSD status<br>
>>> sssd is runing<br>
>>> nevertheless i restart service sssd<br>
>>> but problem do not solved<br>
>>><br>
>>> On Mon, Feb 9, 2015 at 11:19 AM, Martin
Kosek <<a moz-do-not-send="true"
href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>
wrote:<br>
>>><br>
>>>> On 02/09/2015 07:42 AM, alireza baghery
wrote:<br>
>>>>> i check on both server ssh each
other's name and ssh successful and<br>
>>>> resolve<br>
>>>>> name was also correct on each
server<br>
>>>>> but i can not login with user admin
from ipareplica via ssh<br>
>>>> (root@ipareplica]#<br>
>>>>> ssh admin@ipasrv ===> failed)<br>
>>>>><br>
>>>>> [root@ipareplica ~]# ssh ipasrv<br>
>>>>> root@ipasrv's password:<br>
>>>>> Last login: Mon Feb 9 09:49:54
2015 from 10.30.160.20<br>
>>>>> =====log /var/secure====<br>
>>>>> Feb 9 09:50:29 ipasrv sshd[12076]:
Accepted password for root from<br>
>>>>> 10.30.160.20 port 52110 ssh2<br>
>>>>> Feb 9 09:50:29 ipasrv sshd[12076]:
pam_unix(sshd:session): session<br>
>>>> opened<br>
>>>>> for user root by (uid=0)<br>
>>>>> =====<br>
>>>>> [root@ipasrv ~]# ssh ipareplica<br>
>>>>> root@ipareplica's password:<br>
>>>>> Last login: Mon Feb 9 09:50:20
2015 from 10.30.160.19<br>
>>>>><br>
>>>>> ======<br>
>>>>> [root@ipareplica ~]# nslookup
ipasrv<br>
>>>>> Server: 10.30.160.19<br>
>>>>> Address: 10.30.160.19#53<br>
>>>>><br>
>>>>> Name: ipasrv<br>
>>>>> Address: 10.30.160.19<br>
>>>>><br>
>>>>> ========<br>
>>>>> [root@ipasrv ~]# nslookup
ipareplica<br>
>>>>> Server: 127.0.0.1<br>
>>>>> Address: 127.0.0.1#53<br>
>>>>><br>
>>>>> Name: ipareplica<br>
>>>>> Address: 10.30.160.20<br>
>>>>> =========<br>
>>>><br>
>>>> Ok, so ssh is running, you can log in
with root. I think that by 99%<br>
>>>> chance,<br>
>>>> your SSSD service is not running on the
IPA server. Please check if this<br>
>>>> is the<br>
>>>> case and if yes, please try to
(re)start it. If that helped, it would be<br>
>>>> also<br>
>>>> useful to see *why* the SSSD is not
running (crash, misconfiguration,<br>
>> ...)<br>
>>>><br>
>>>> Martin<br>
>>>><br>
>>><br>
>>><br>
>>><br>
>><br>
>><br>
><br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>