[Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Mar 8 20:49:39 UTC 2011
8><--------
>
> Steven, sorry you're having such a hard time with this. Let me see if I
> can help point you in the right direction.
>
> I'm trying to look at the history of this thread, but I'm coming into it
> late, so please forgive me if I retread any ground that's already been
> covered.
>
> First, I need to verify that I understand the state from which you're
> working. Have you installed FreeIPA from the jdennis.fedorapeople.org
> yum repository?
[freeipa-devel]
name=FreeIPA Development
baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch
enabled=1
gpgcheck=0
F14 and 64bit.
> What version of the RPM packages for freeipa-server, freeipa-client and
> sssd do you have? (rpm -q)
">>" 'd output,
==============
sssd-1.5.1-9.fc14.x86_64
freeipa-client-2.0.0.rc2-0.fc14.x86_64
freeipa-server-2.0.0.rc2-0.fc14.x86_64
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
[sssd]
services = nss, pam
config_file_version = 2
domains = ipa.ac.nz
[nss]
[pam]
[domain/ipa.ac.nz]
cache_credentials = True
ipa_domain = ipa.ac.nz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz
[domain/default]
cache_credentials = True
krb5_realm = IPA.AC.NZ
krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88
auth_provider = krb5
chpass_provider = krb5
krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749
debug_level=9
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
====================
So I wiped the secure log, logged out and tried to loging. The secure
log on the guest maybe interesting, looks like the sssd isnt running on
the guest? I restarted it but to no avail,
====================
Mar 9 09:36:54 fed14-64-ipacl01 su: pam_unix(su-l:session): session
closed for user root
Mar 9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]:
pam_unix(gdm-password:session): session closed for user jonesst1
Mar 9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]:
pam_sss(gdm-password:session): Request to sssd failed. Connection
refused
Mar 9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus
name :1.22, object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8) (disconnected from bus)
Mar 9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus
name :1.40, object path /org/gnome/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8) (disconnected from bus)
Mar 9 09:36:57 fed14-64-ipacl01 polkitd(authority=local): Registered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.65
[/usr/libexec/polkit-gnome-authentication-agent-1], object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]:
pam_unix(gdm-password:auth): conversation failed
Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]:
pam_unix(gdm-password:auth): auth could not identify password for
[irwinph]
Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]:
pam_sss(gdm-password:auth): Request to sssd failed. Connection refused
Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: gkr-pam: no
password is available for user
Mar 9 09:37:10 fed14-64-ipacl01 unix_chkpwd[2279]: password check
failed for user (jonesst1)
Mar 9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0
euid=0 tty=:0 ruser= rhost= user=jonesst1
Mar 9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]:
pam_sss(gdm-password:auth): Request to sssd failed. Connection refused
Mar 9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]:
pam_unix(gdm-password:session): session opened for user jonesst1 by
(uid=0)
Mar 9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]:
pam_sss(gdm-password:session): Request to sssd failed. Connection
refused
Mar 9 09:37:24 fed14-64-ipacl01 polkitd(authority=local): Registered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session4 (system bus name :1.80
[/usr/libexec/polkit-gnome-authentication-agent-1], object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 9 09:37:36 fed14-64-ipacl01 su: pam_unix(su-l:session): session
opened for user root by jonesst1(uid=500)
===================
regards
> I noticed that you mentioned in an earlier email that you were editing
> nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA
> client (any more). We now use SSSD (and ipa-client-install should be
> setting this up for you).
>
> So what I need to see are the following configuration files:
> 1) /etc/nsswitch.conf
> 2) /etc/sssd/sssd.conf
> 3) /etc/pam.d/system-auth
> 4) /etc/pam.d/password-auth (if using GDM)
>
> Also, to start debugging login problems, the best place to look is in
> /var/log/secure, which should report any PAM modules that are denying
> access to the account (and the reason why it's being denied).
>
> Please provide us with the above information and we'll see what we can
> do to get you up and running.
>
> Also, for much faster triage and debugging, you can join the #freeipa
> and/or #sssd IRC channels on the irc.freenode.net IRC server and speak
> with us directly. My nick on those channels is 'sgallagh'.
I will try and get access to freenode again, but security policy might
now stop that..........also I used to find that because im in NZ no one
responds (in other channels)...wrong time zone.
regards
More information about the Freeipa-users
mailing list