[Freeipa-users] User can't login via ssh from external

Joe Linoff jlinoff at tabula.com
Mon Jul 23 22:33:19 UTC 2012 

Hi Rob:

> The issue is if the UIDS are < 1000 they are treated as local in sssd.

Ahh, of course, thanks. I never assigned any UIDs < 1000 (or less than
10000 for that matter).

> It could be that sssd cached something and wouldn't let it go, too. If
you can reproduce 
> this it is probably worthwhile bump up the log level and add pam debug
logging to see 
> what is happening.

That is a great idea and it makes sense given what I was seeing. I will
give it a try. I just wasn't sure which service I should be analyzing.

Regards,

Joe


-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Monday, July 23, 2012 3:23 PM
To: Joe Linoff
Cc: Steven.Jones at vuw.ac.nz; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] User can't login via ssh from external

Joe Linoff wrote:
> Hi Steve:
>
> Thank you for your suggestions.
>
>  > In the gui you can do a hbac test of the rule.
>
> I ran the hbactest rule testing from the command line using "ipa 
> hbactest ...". It showed that the rules were correct. Do you think
that 
> the GUI might provide a different result?

No, the GUI and CLI share exactly the same backend code.

>  > Also what are the UIDS?  IPA provided 32bit ones?  or your own?
>
> The UID's were provided by IPA. Actually during testing I also 
> provided my own at one point but reverted back when that didn't seem 
> to make a difference.
>
> Can you explain why that might cause the problem? For example, would 
> duplicates break the system or are there ranges of UIDs that are not
legal?

The issue is if the UIDS are < 1000 they are treated as local in sssd.

>  > I'd suggest re-setting that user's password and get them to login 
> and reset the password, that
>
>  > works for me, it was a sign of bad/failed replication in my system 
> I think (now fixed).
>
> I tried that using kpasswd and "ipa passwd" to change the password but

> neither solved the problem. In both cases I was able to run "kinit 
> new-user" and set the credentials using the new password but new-user 
> could not ssh in.
>
> It was a really strange problem. It looks like something got out of 
> sync but I could not (and cannot) figure out where. It is doubly 
> difficult because removing and re-adding the user worked. In addition,

> adding other users worked.

It could be that sssd cached something and wouldn't let it go, too. If
you can reproduce this it is probably worthwhile bump up the log level
and add pam debug logging to see what is happening.

regards

rob

More information about the Freeipa-users mailing list