[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Jakub Hrozek jhrozek at redhat.com
Mon Feb 25 10:15:24 UTC 2013 

On Sat, Feb 23, 2013 at 10:40:03PM +0000, Dale Macartney wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On 02/23/2013 10:36 PM, Rob Crittenden wrote:
> > Dale Macartney wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Even folks
> >>
> >> I've verified this both in a kickstart and via manual install to verify
> >> any user error on my part.
> >>
> >> I have a clean installation of RHEL 6.4 for an IPA domain of example.com
> >>
> >> I also have several clients which are also clean installs of rhel 6.4
> >> and although I can see ipa users via getent and even acquire a tgt's
> >> successfully, I am unable to login with any ipa user on any ipa member
> >> server.
> >>
> >> I see the same results for any type of login attempt, e.g. gnome desktop
> >> or ssh
> >>
> >> My client installation is done by this command.
> >>
> >> ipa-client-install -U -p admin -w redhat123 --mkhomedir
> --enable-dns-updates
> >>
> >> IPA client version 3.0.0-25
> >> SSSD version 1.9.2-82
> >>
> >>
> >> Logs from client as as follows.
> >>
> >> ==> /var/log/secure <==
> >> Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
> >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> >> rhost=10.0.1.254 user=admin
> >> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
> >> message: Your password will expire in 89 day(s).

FTR, this is a known bug that will be fixed in an asynchronous errata
Very Soon Now.

> >> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
> >> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> >> rhost=10.0.1.254 user=admin
> >>
> >> ==> /var/log/btmp <==
> >> s ssh:nottyadmin10.0.1.254@>)Q
> >> ?
> >> ==> /var/log/secure <==
> >> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
> >> denied for user admin: 4 (System error)

What state is your SELinux in? Permissive/Enforcing/Disabled ?

> >> Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
> >> 10.0.1.254 port 55554 ssh2
> >> Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
> >> admin by PAM account configuration
> >>
> >> ==> /var/log/Xorg.0.log <==
> >> [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
> >> from local host ( uid=42 gid=42 pid=1958 )
> >> Auth name: MIT-MAGIC-COOKIE-1 ID: 284
> >> [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected
> >>
> >> ==> /var/log/messages <==
> >> Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
> >> stratum 5
> >> Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
> >> stratum 11
> >>
> >>
> >> interactive shell output as follows
> >>
> >> [mac at rhodey ~]$ ssh admin at 10.0.1.102
> >> admin at 10.0.1.102's password:
> >> Your password will expire in 89 day(s).
> >> Connection closed by 10.0.1.102
> >> [mac at rhodey ~]$
> >>
> >>
> >> Am I doing something rather trivially wrong or is there something fishy
> >> going on here?
> >>
> >> Thanks in advance.
> >
> > I'd check your HBAC configuration.
> >
> > rob
> >
> That is actually the very first thing I did. As it is a 100% clean
> installation of IPA, plus the addition of one user and one IPA replica.
> 
> all users are granted access to all hosts.
> 
> [root at ds01 ~]# ipa hbacrule-find
> - -------------------
> 1 HBAC rule matched
> - -------------------
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Source host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: TRUE
> - ----------------------------
> Number of entries returned 1
> - ----------------------------
> [root at ds01 ~]#
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJRKUVAAAoJEAJsWS61tB+qmMwQAJgO3zJsbQkKqhgdj6qjfvbH
> EJHQOCEA55Mf2FgY4cUjeOj2oulny3HLxFQJql6OGYOk73zx48JR0VZdalyXp4Jc
> bUKkog+5jnamcEpm5qcRfvpLrITayamqMTgPzvOdrCWnVYSNTxjA07y7Sh/ZOpK5
> XSsYTaMBKFLsE20CAE/a/PPJpL/43fP59+nK0yGgClwA5V3FIMBLZo7WKOGFsVJK
> lK+Couo3FPwiThp3klHudokQ4w24MdDc9aNKz4ZatcnqHK9nXeBNIya8FdYAtMqT
> Us6Lzkq0YOk7IKFU5qgqUtkXuCmRfRLZDZYngpug4S97S0wmG7eo191VPliKsCOO
> CuWDaSDtUMbD5li7yzUEnhwUOI+9tLSD98rTO7oqGADQQqvmgz78/A9uQAVfRSIS
> 7PpmqUsl2pdC1XZ7Vy0K6vrqc7ojQkwwlFVmvY+TMBs2ukKrDz38bnRzfevxpZNe
> pm77dn8iF2NGqGpPqbrRvXwenIqi35j/6adBhGtDkAkdSKFXyZbDXRms+ro3oxXI
> StrYPHy4td02Fe4MyFrc3s7uIJvYuZGB+ULRKDAptnZetKhaP58VoapQJYrKrxdd
> N5hqf4EMwQ9b++Y5Bf9fzlA4osIDgf3uS+8/orL0KuXBq0vGYMqyTDE9leRMqamh
> ruH0DYhFtmabbPzxv7uA
> =sdSi
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list