[Freeipa-users] Password failing for sudo-ldap authentication only from one host
Jakub Hrozek
jhrozek at redhat.com
Thu Sep 27 08:01:26 UTC 2012
On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote:
> On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina <
> d.sastre.medina at gmail.com> wrote:
>
> > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote:
> > > David Sastre wrote:
> > > > [big snip]
> > > Does sssd work on this machine otherwise? getent passwd <foo>, you
> > > can log into the console as the user, or perhaps kinit to the user?
> >
>
> It looks like sssd is operating correctly
> $ getent passwd dsastrem
> dsastrem:*:1543400001:1543400001:David Sastre
> Medina:/home/dsastrem:/bin/rbash
>
> I can also kinit w/o problems:
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
>
> $ kinit dsastrem
> Password for dsastrem at SOME.DOMAIN.COM:
>
kinit bypasses the SSSD and talks to the KDC directly.
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: dsastrem at SOME.DOMAIN.COM
>
> I can log in using ssh, and the log shows:
> debug1: Authentication succeeded (gssapi-with-mic).
>
> Valid starting Expires Service principal
> 09/27/12 07:59:36 09/28/12 07:59:36 krbtgt/SOME.DOMAIN.COM at SOME.DOMAIN.COM
> renew until 09/28/12 08:01:20
>
...however, the ssh should go through the SSSD...
> Yet, sudo fails to authenticate me:
> dsastrem at obelix ~
> $ sudo ip addr show
> [sudo] password for dsastrem:
> Sorry, try again.
> [sudo] password for dsastrem:
> Sorry, try again.
> [sudo] password for dsastrem:
> sudo: 2 incorrect password attempts
Can you check the messages that appear in /var/log/secure during the
sudo auth attempt? You should see pam_sss being contacted, what does it
say? Is there any error?
More information about the Freeipa-users
mailing list