[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Rob Crittenden rcritten at redhat.com
Sat Feb 23 22:36:58 UTC 2013 

Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Even folks
>
> I've verified this both in a kickstart and via manual install to verify
> any user error on my part.
>
> I have a clean installation of RHEL 6.4 for an IPA domain of example.com
>
> I also have several clients which are also clean installs of rhel 6.4
> and although I can see ipa users via getent and even acquire a tgt's
> successfully, I am unable to login with any ipa user on any ipa member
> server.
>
> I see the same results for any type of login attempt, e.g. gnome desktop
> or ssh
>
> My client installation is done by this command.
>
> ipa-client-install -U -p admin -w redhat123 --mkhomedir --enable-dns-updates
>
> IPA client version 3.0.0-25
> SSSD version 1.9.2-82
>
>
> Logs from client as as follows.
>
> ==> /var/log/secure <==
> Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.0.1.254  user=admin
> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
> message: Your password will expire in 89 day(s).
> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.0.1.254 user=admin
>
> ==> /var/log/btmp <==
> s    ssh:nottyadmin10.0.1.254@>)Q
> ?
> ==> /var/log/secure <==
> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
> denied for user admin: 4 (System error)
> Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
> 10.0.1.254 port 55554 ssh2
> Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
> admin by PAM account configuration
>
> ==> /var/log/Xorg.0.log <==
> [   604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
> from local host ( uid=42 gid=42 pid=1958 )
>    Auth name: MIT-MAGIC-COOKIE-1 ID: 284
> [   604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected
>
> ==> /var/log/messages <==
> Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
> stratum 5
> Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
> stratum 11
>
>
> interactive shell output as follows
>
> [mac at rhodey ~]$ ssh admin at 10.0.1.102
> admin at 10.0.1.102's password:
> Your password will expire in 89 day(s).
> Connection closed by 10.0.1.102
> [mac at rhodey ~]$
>
>
> Am I doing something rather trivially wrong or is there something fishy
> going on here?
>
> Thanks in advance.

I'd check your HBAC configuration.

rob

More information about the Freeipa-users mailing list