[Freeipa-users] Issues after setup

Shawn taaj.shawn at gmail.com
Wed Apr 10 18:27:36 UTC 2013 

(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'staaj' matched without domain, user is staaj
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user:
staaj
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service:
sshd
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost:
50.59.202.7
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
23185
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/company-dev.com/staaj]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x41b300:3:staaj at vocal-dev.com]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
Creating request for [company-dev.com][3][1][name=staaj]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb39fd0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x41b300:3:staaj at company-dev.com]
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000):
0xb39fd0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
B35A10
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success



(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_ACCT_MGMT
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain:
company-dev.com
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user:staaj
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service:
sshd
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost:
50.59.202.7
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok
size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok size: 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
23185
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb41990
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x41b300:3:staaj at company-dev.com]

only thing i see about selinux is here

(Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040):
creating the temp file for SELinux data failed.
/etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013)
[sssd[pam]] [pam_reply] (0x0100): blen: 30

# rpm -qa |grep sssd
sssd-client-1.9.2-82.4.el6_4.x86_64
sssd-1.9.2-82.4.el6_4.x86_64





On Wed, Apr 10, 2013 at 2:15 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote:
> > Shawn wrote:
> > >[root at freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn.
> --service=sshd
> > >--------------------
> > >Access granted: True
> > >--------------------
> > >   Matched rules: allow_all
> > >[root at freeipa ~]#
> > >
> > >
> > >└─> ssh myuserj at ec2-54-xxx.xxx.compute-1.amazonaws.com
> > ><mailto:myuserj at ec2-54-xxx.xxx.compute-1.amazonaws.com> -i
> > >/home/user/.ssh/key
> > >Connection closed by 54x.x.x.x
> > >
> > >(client server logs)
> > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account):
> > >Access denied for user myuser: 4 (System error)
> > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for
> > >user client by PAM account configuration
> > >
> > >
> > >(client ipa versions)
> > >ipa-admintools-3.0.0-26.el6_4.2.x86_64
> > >ipa-client-3.0.0-26.el6_4.2.x86_64
> > >ipa-python-3.0.0-26.el6_4.2.x86_64
> > >
> > >
> > >(master ipa versions)
> > >[root at freeipa ~]# rpm -qa |grep ipa-
> > >
> > >ipa-pki-common-theme-9.0.3-7.el6.noarch
> > >ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > >ipa-client-3.0.0-26.el6_4.2.x86_64
> > >ipa-python-3.0.0-26.el6_4.2.x86_64
> > >ipa-admintools-3.0.0-26.el6_4.2.x86_64
> > >ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> > >ipa-server-3.0.0-26.el6_4.2.x86_64
> > >[root at freeipa ~]#
> >
> > An error is occurring somewhere which is why access is denied. This
> > isn't HBAC, that looks like:
> >
> > pam_sss(sshd:account): Access denied for user admin: 6 (Permission
> denied)
> >
> > You need to crank up debugging in sssd and see what its logs say.
> >
> > rob
>
> What SSSD version is there on the client?
>
> It's possible that it might be a similar issue to one Jan-Frode had with
> SELinux.
>
> Rob is right, please raise the debug_level in the [pam] and [domain]
> sections and attach or paste the relevant portions of (sanitized) logs.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 
*- Shawn Taaj*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130410/59cbf2fd/attachment.htm>

More information about the Freeipa-users mailing list