[Freeipa-users] User can't login via ssh from external

Steven Jones Steven.Jones at vuw.ac.nz
Mon Jul 23 22:18:13 UTC 2012 

as below.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Joe Linoff [jlinoff at tabula.com]
Sent: Tuesday, 24 July 2012 10:04 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com; Joe Linoff
Subject: Re: [Freeipa-users] User can't login via ssh from external

Hi Steve:

Thank you for your suggestions.


> In the gui you can do a hbac test of the rule.

I ran the hbactest rule testing from the command line using “ipa hbactest …”. It showed that the rules were correct. Do you think that the GUI might provide a different result?

========
probably not
========



> Also what are the UIDS?  IPA provided 32bit ones?  or your own?


The UID’s were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn’t seem to make a difference.

Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal?

===========
pam prevents any user with a UID <500 from logging in with ssh (that bit me last week).
===========



> I'd suggest re-setting that user's password and get them to login and reset the password, that

> works for me, it was a sign of bad/failed replication in my system I think (now fixed).


I tried that using kpasswd and “ipa passwd” to change the password but neither solved the problem. In both cases I was able to run “kinit new-user” and set the credentials using the new password but new-user could not ssh in.
It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked.

======
Yes, I had the same symptoms, removing and re-adding a user worked for me also but re-setting the user's password in the web ui also worked and its easier. It came down to failed replication I think, as now that is solved the issue has not re-appeared for users.
======

Regards,

Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120723/a627bc1b/attachment.htm>

More information about the Freeipa-users mailing list