[Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones Steven.Jones at vuw.ac.nz
Tue Mar 8 20:49:39 UTC 2011 

8><--------
> 
> Steven, sorry you're having such a hard time with this. Let me see if I
> can help point you in the right direction.
> 
> I'm trying to look at the history of this thread, but I'm coming into it
> late, so please forgive me if I retread any ground that's already been
> covered.
> 
> First, I need to verify that I understand the state from which you're
> working. Have you installed FreeIPA from the jdennis.fedorapeople.org
> yum repository?

[freeipa-devel]
name=FreeIPA Development
baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch
enabled=1
gpgcheck=0

F14 and 64bit.

> What version of the RPM packages for freeipa-server, freeipa-client and
> sssd do you have? (rpm -q)


">>" 'd output,

==============
sssd-1.5.1-9.fc14.x86_64
freeipa-client-2.0.0.rc2-0.fc14.x86_64
freeipa-server-2.0.0.rc2-0.fc14.x86_64
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files
#	db			Use the local database (.db) files
#	compat			Use NIS on compat mode
#	hesiod			Use Hesiod for user lookups
#	[NOTFOUND=return]	Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

[sssd]
services = nss, pam
config_file_version = 2

domains = ipa.ac.nz
[nss]

[pam]

[domain/ipa.ac.nz]
cache_credentials = True
ipa_domain = ipa.ac.nz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz

[domain/default]
cache_credentials = True
krb5_realm = IPA.AC.NZ
krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88
auth_provider = krb5
chpass_provider = krb5
krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749
debug_level=9
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
====================

So I wiped the secure log, logged out and tried to loging.  The secure
log on the guest maybe interesting, looks like the sssd isnt running on
the guest?  I restarted it but to no avail,

====================
Mar  9 09:36:54 fed14-64-ipacl01 su: pam_unix(su-l:session): session
closed for user root
Mar  9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]:
pam_unix(gdm-password:session): session closed for user jonesst1
Mar  9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]:
pam_sss(gdm-password:session): Request to sssd failed. Connection
refused
Mar  9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus
name :1.22, object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8) (disconnected from bus)
Mar  9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus
name :1.40, object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8) (disconnected from bus)
Mar  9 09:36:57 fed14-64-ipacl01 polkitd(authority=local): Registered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.65
[/usr/libexec/polkit-gnome-authentication-agent-1], object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar  9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]:
pam_unix(gdm-password:auth): conversation failed
Mar  9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]:
pam_unix(gdm-password:auth): auth could not identify password for
[irwinph]
Mar  9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]:
pam_sss(gdm-password:auth): Request to sssd failed. Connection refused
Mar  9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: gkr-pam: no
password is available for user
Mar  9 09:37:10 fed14-64-ipacl01 unix_chkpwd[2279]: password check
failed for user (jonesst1)
Mar  9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0
euid=0 tty=:0 ruser= rhost=  user=jonesst1
Mar  9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]:
pam_sss(gdm-password:auth): Request to sssd failed. Connection refused
Mar  9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]:
pam_unix(gdm-password:session): session opened for user jonesst1 by
(uid=0)
Mar  9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]:
pam_sss(gdm-password:session): Request to sssd failed. Connection
refused
Mar  9 09:37:24 fed14-64-ipacl01 polkitd(authority=local): Registered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session4 (system bus name :1.80
[/usr/libexec/polkit-gnome-authentication-agent-1], object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar  9 09:37:36 fed14-64-ipacl01 su: pam_unix(su-l:session): session
opened for user root by jonesst1(uid=500)
===================

regards


> I noticed that you mentioned in an earlier email that you were editing
> nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA
> client (any more). We now use SSSD (and ipa-client-install should be
> setting this up for you).
> 
> So what I need to see are the following configuration files:
> 1) /etc/nsswitch.conf
> 2) /etc/sssd/sssd.conf
> 3) /etc/pam.d/system-auth
> 4) /etc/pam.d/password-auth (if using GDM)
> 
> Also, to start debugging login problems, the best place to look is in
> /var/log/secure, which should report any PAM modules that are denying
> access to the account (and the reason why it's being denied).
> 
> Please provide us with the above information and we'll see what we can
> do to get you up and running.
> 
> Also, for much faster triage and debugging, you can join the #freeipa
> and/or #sssd IRC channels on the irc.freenode.net IRC server and speak
> with us directly. My nick on those channels is 'sgallagh'.

I will try and get access to freenode again, but security policy might
now stop that..........also I used to find that because im in NZ no one
responds (in other channels)...wrong time zone.

regards

More information about the Freeipa-users mailing list