<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi List,<br>
I'm still fairly new to this list and administrating FreeIPA.<br>
<br>
I had a very old version of freeipa and had all sorts of odd issues
with it. I had 47 ubuntu clients attached to the domain. <br>
<br>
I setup a newer freeipa server version: 4.1.4 <br>
I recreated all my user accounts by hand I did not migrate any of
them.<br>
I then removed the 47 clients from the old domain<br>
<br>
#ipa-client-install --uninstall<br>
<br>
Then I reinstalled each client<br>
<br>
#ipa-client-install --domain=cs.oberlin.edu --realm=CS.OBERLIN.EDU
-p admin -W --hostname `hostname` -N<br>
<br>
it finished without errors on all my systems. <br>
<br>
two of my systems will not let any ipa users login via ssh or the
console. the rest of them work fine. <br>
After keying in the password I get the following.<br>
<br>
Permission denied, please try again.<br>
<br>
id (username) shows the UID and GID and Groups correctly.<br>
getent passwd shows only my local accounts I don't have enumerate
on. <br>
kinit also works.<br>
<br>
<u>my auth.log shows this</u><br>
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN<br>
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN<br>
pam_sss(sshd:auth): received for user : 7 (Authentication failure)<br>
<br>
I know it's the correct password as it works on the other clients.<br>
<br>
<u>I get this in krb5_child.log</u><br>
<br>
[[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241] uid
[66133] gid [100] validate [true] enterprise principal [false]
offline [false] UPN [@CS.OBERLIN.EDU]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[unpack_buffer] (0x0100): ccname: [<a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_66133_XXXXXX">FILE:/tmp/krb5cc_66133_XXXXXX</a>]
keytab: [/etc/krb5.keytab]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME]
from environment.<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[<a class="moz-txt-link-abbreviated" href="mailto:host/occs.cs.oberlin.edu@CS.OBERLIN.EDU">host/occs.cs.oberlin.edu@CS.OBERLIN.EDU</a>]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[match_principal] (0x1000): Principal matched to the sample
(<a class="moz-txt-link-abbreviated" href="mailto:host/occs.cs.oberlin.edu@CS.OBERLIN.EDU">host/occs.cs.oberlin.edu@CS.OBERLIN.EDU</a>).<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
(0x0400): Will perform online auth<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[tgt_req_child] (0x1000): Attempting to get a TGT<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[get_and_save_tgt] (0x0400): Attempting kinit for realm
[CS.OBERLIN.EDU]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[validate_tgt] (0x0400): TGT verified using key for
[<a class="moz-txt-link-abbreviated" href="mailto:host/occs.cs.oberlin.edu@CS.OBERLIN.EDU">host/occs.cs.oberlin.edu@CS.OBERLIN.EDU</a>].<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [become_user]
(0x0200): Trying to become user [66133][100].<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[k5c_send_data] (0x0200): Received error code 0<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
(0x0400): krb5_child completed successfully<br>
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main]
(0x0400): krb5_child started.<br>
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
[unpack_buffer] (0x1000): total buffer size: [127]<br>
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
[unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate
[true] enterprise principal [false] offline [false] UPN
[@CS.OBERLIN.EDU]<br>
<br>
<u>sssd.conf on the broken machine</u><br>
<br>
[domain/cs.oberlin.edu]<br>
debug_level=8<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = cs.oberlin.edu<br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = occs.cs.oberlin.edu<br>
chpass_provider = ipa<br>
ipa_server = _srv_, ipa1.cs.oberlin.edu<br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
[sssd]<br>
services = nss, pam, ssh<br>
config_file_version = 2<br>
debug_level=8<br>
domains = cs.oberlin.edu<br>
[nss]<br>
debug_level=8<br>
[pam]<br>
debug_level=8<br>
[sudo]<br>
<br>
[autofs]<br>
<br>
[ssh]<br>
debug_level=8<br>
[pac]<br>
<br>
<u>The broken systems sssd_nss.log<br>
<br>
</u>[nss_cmd_getpwnam_search] (0x0400): Returning info for user
[<a class="moz-txt-link-abbreviated" href="mailto:HIDDEN@cs.oberlin.edu">HIDDEN@cs.oberlin.edu</a>]<br>
[sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with
input [HIDDEN].<br>
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN'
matched without domain, user is HIDDEN<br>
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default
domain [(null)]<br>
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[HIDDEN] from [<ALL>]<br>
[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache
for [NCE/USER/cs.oberlin.edu/HIDDEN]<br>
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[<a class="moz-txt-link-abbreviated" href="mailto:HIDDEN@cs.oberlin.edu">HIDDEN@cs.oberlin.edu</a>]<br>
[sssd[nss]] [check_cache] (0x0400): Cached entry is valid,
returning..<br>
<br>
Any suggestions on how I can get users to login to this machine?<br>
<br>
Thanks,<br>
-Chris<br>
<br>
<br>
</body>
</html>