<div dir="ltr">Did you clear out <span style="font-size:12.8000001907349px">/var/lib/sss/db</span> between re-installation of the client? There was a bug which might not have been fixed downstream yet. </div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler <span dir="ltr"><<a href="mailto:cmohler@oberlin.edu" target="_blank">cmohler@oberlin.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi List,<br>
I'm still fairly new to this list and administrating FreeIPA.<br>
<br>
I had a very old version of freeipa and had all sorts of odd issues
with it. I had 47 ubuntu clients attached to the domain. <br>
<br>
I setup a newer freeipa server version: 4.1.4 <br>
I recreated all my user accounts by hand I did not migrate any of
them.<br>
I then removed the 47 clients from the old domain<br>
<br>
#ipa-client-install --uninstall<br>
<br>
Then I reinstalled each client<br>
<br>
#ipa-client-install --domain=<a href="http://cs.oberlin.edu" target="_blank">cs.oberlin.edu</a> --realm=<a href="http://CS.OBERLIN.EDU" target="_blank">CS.OBERLIN.EDU</a>
-p admin -W --hostname `hostname` -N<br>
<br>
it finished without errors on all my systems. <br>
<br>
two of my systems will not let any ipa users login via ssh or the
console. the rest of them work fine. <br>
After keying in the password I get the following.<br>
<br>
Permission denied, please try again.<br>
<br>
id (username) shows the UID and GID and Groups correctly.<br>
getent passwd shows only my local accounts I don't have enumerate
on. <br>
kinit also works.<br>
<br>
<u>my auth.log shows this</u><br>
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN<br>
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN<br>
pam_sss(sshd:auth): received for user : 7 (Authentication failure)<br>
<br>
I know it's the correct password as it works on the other clients.<br>
<br>
<u>I get this in krb5_child.log</u><br>
<br>
[[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241] uid
[66133] gid [100] validate [true] enterprise principal [false]
offline [false] UPN [@<a href="http://CS.OBERLIN.EDU" target="_blank">CS.OBERLIN.EDU</a>]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[unpack_buffer] (0x0100): ccname: [<a>FILE:/tmp/krb5cc_66133_XXXXXX</a>]
keytab: [/etc/krb5.keytab]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME]
from environment.<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[<a href="mailto:host/occs.cs.oberlin.edu@CS.OBERLIN.EDU" target="_blank">host/occs.cs.oberlin.edu@CS.OBERLIN.EDU</a>]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[match_principal] (0x1000): Principal matched to the sample
(<a href="mailto:host/occs.cs.oberlin.edu@CS.OBERLIN.EDU" target="_blank">host/occs.cs.oberlin.edu@CS.OBERLIN.EDU</a>).<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
(0x0400): Will perform online auth<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[tgt_req_child] (0x1000): Attempting to get a TGT<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[get_and_save_tgt] (0x0400): Attempting kinit for realm
[<a href="http://CS.OBERLIN.EDU" target="_blank">CS.OBERLIN.EDU</a>]<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[validate_tgt] (0x0400): TGT verified using key for
[<a href="mailto:host/occs.cs.oberlin.edu@CS.OBERLIN.EDU" target="_blank">host/occs.cs.oberlin.edu@CS.OBERLIN.EDU</a>].<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [become_user]
(0x0200): Trying to become user [66133][100].<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
[k5c_send_data] (0x0200): Received error code 0<br>
(Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
(0x0400): krb5_child completed successfully<br>
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main]
(0x0400): krb5_child started.<br>
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
[unpack_buffer] (0x1000): total buffer size: [127]<br>
(Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
[unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate
[true] enterprise principal [false] offline [false] UPN
[@<a href="http://CS.OBERLIN.EDU" target="_blank">CS.OBERLIN.EDU</a>]<br>
<br>
<u>sssd.conf on the broken machine</u><br>
<br>
[domain/<a href="http://cs.oberlin.edu" target="_blank">cs.oberlin.edu</a>]<br>
debug_level=8<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = <a href="http://cs.oberlin.edu" target="_blank">cs.oberlin.edu</a><br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = <a href="http://occs.cs.oberlin.edu" target="_blank">occs.cs.oberlin.edu</a><br>
chpass_provider = ipa<br>
ipa_server = _srv_, <a href="http://ipa1.cs.oberlin.edu" target="_blank">ipa1.cs.oberlin.edu</a><br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
[sssd]<br>
services = nss, pam, ssh<br>
config_file_version = 2<br>
debug_level=8<br>
domains = <a href="http://cs.oberlin.edu" target="_blank">cs.oberlin.edu</a><br>
[nss]<br>
debug_level=8<br>
[pam]<br>
debug_level=8<br>
[sudo]<br>
<br>
[autofs]<br>
<br>
[ssh]<br>
debug_level=8<br>
[pac]<br>
<br>
<u>The broken systems sssd_nss.log<br>
<br>
</u>[nss_cmd_getpwnam_search] (0x0400): Returning info for user
[<a href="mailto:HIDDEN@cs.oberlin.edu" target="_blank">HIDDEN@cs.oberlin.edu</a>]<br>
[sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with
input [HIDDEN].<br>
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN'
matched without domain, user is HIDDEN<br>
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default
domain [(null)]<br>
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[HIDDEN] from [<ALL>]<br>
[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache
for [NCE/USER/<a href="http://cs.oberlin.edu/HIDDEN" target="_blank">cs.oberlin.edu/HIDDEN</a>]<br>
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[<a href="mailto:HIDDEN@cs.oberlin.edu" target="_blank">HIDDEN@cs.oberlin.edu</a>]<br>
[sssd[nss]] [check_cache] (0x0400): Cached entry is valid,
returning..<br>
<br>
Any suggestions on how I can get users to login to this machine?<br>
<br>
Thanks,<br>
-Chris<br>
<br>
<br>
</div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>