[Freeipa-users] User can't login via ssh from external

[Rob Crittenden]

Joe Linoff wrote:
> Hi Steve:
>
> Thank you for your suggestions.
>
>  > In the gui you can do a hbac test of the rule.
>
> I ran the hbactest rule testing from the command line using “ipa
> hbactest …”. It showed that the rules were correct. Do you think that
> the GUI might provide a different result?

No, the GUI and CLI share exactly the same backend code.

>  > Also what are the UIDS?  IPA provided 32bit ones?  or your own?
>
> The UID’s were provided by IPA. Actually during testing I also provided
> my own at one point but reverted back when that didn’t seem to make a
> difference.
>
> Can you explain why that might cause the problem? For example, would
> duplicates break the system or are there ranges of UIDs that are not legal?

The issue is if the UIDS are < 1000 they are treated as local in sssd.

>  > I'd suggest re-setting that user's password and get them to login and
> reset the password, that
>
>  > works for me, it was a sign of bad/failed replication in my system I
> think (now fixed).
>
> I tried that using kpasswd and “ipa passwd” to change the password but
> neither solved the problem. In both cases I was able to run “kinit
> new-user” and set the credentials using the new password but new-user
> could not ssh in.
>
> It was a really strange problem. It looks like something got out of sync
> but I could not (and cannot) figure out where. It is doubly difficult
> because removing and re-adding the user worked. In addition, adding
> other users worked.

It could be that sssd cached something and wouldn't let it go, too. If 
you can reproduce this it is probably worthwhile bump up the log level 
and add pam debug logging to see what is happening.

regards

rob