[Freeipa-users] User can't login via ssh from external source
Joe Linoff
jlinoff at tabula.com
Fri Jul 20 19:03:39 UTC 2012
Hi Everybody:
I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging
problem with a new user that I just setup.
That user cannot ssh into any host on the realm from an external source.
They get a permission denied problem but "old-user" with the same HBAC
configuration works.
% ssh -A -t -o Port=9346 new-user at somehost.example.com
new-user at somehost.example.com's password:
Permission denied, please try again.
% ssh -A -t -o Port=9346 old-user at somehost.example.com
old-user at somehost.example.com's password:
Last login: ...
[old-user at somehost ~]$
I checked their password by setting up a TGT using kinit. It worked. I
was also able to ssh into another host on the network.
% kinit new-user
Password for new-user at EXAMPLE.COM
% ssh new-user at somehost
Last login: ...
Could not chdir to home directory ...
-bash-4.1$ exit
That seems to indicate that the password is correct and that the
permissions are correct but to be sure I ran an hbactest on the server:
% ipa hbactest --user=new-user --service=ssh --host=somehost
--------------------
Access granted: True
--------------------
...
I did see something strange in /var/log/messages:
Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
check failed
Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
check failed
Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
check failed
Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
check failed
Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired
Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity
check failed
Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired
Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity
check failed
So I reset the password using the ipa passwd command:
% ipa passwd new-user
New Password:
Etner New Password again to verify:
-------------------------------------------
Changed password for new-user at EXAMPLE.COM
------------------------------------------
But I am still getting the Permission denied error.
What am I doing wrong? How can I debug this? Any help would be greatly
appreciated.
Thanks,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120720/2ba833cc/attachment.htm>
More information about the Freeipa-users
mailing list