[Freeipa-users] Logging Failed User logins for Trust Users
Sumit Bose
sbose at redhat.com
Tue Jun 4 08:06:57 UTC 2013
On Mon, Jun 03, 2013 at 04:30:19PM -0400, Dmitri Pal wrote:
> On 06/03/2013 02:23 PM, Aly Khimji wrote:
> > Quick questions guys,
> >
> > can you advise if there is a particular place(s) successful and failed
> > users authentication is logged? I know from local users I can go
> > through the 389 access logs, but for trust based users can you advise
> > where I would look? I know i see a proper ticket issued in krb5kdc
> > logs, but mainly for failed logins.
>
> What is the scenario?
> Is this: user from AD logs into a Linux system that is joined into IPA
> via SSSD?
> In this case the authentication happens in AD so the audit trail will be
> there.
> Once this user tries to access a resource in IPA domain there will be a
> record of issuing this user a service ticket in the kerberos log.
>
> The users always get TGTs from the domain they belong to so the record
> will be in the log of the corresponding KDC.
Are you using ssh to log in to the IPA client or is this a console
login?
In the first case logs from sshd might help. Typically issues here are
related to access checks and mapping the Kerberos principal to a local
user name. See e.g.
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Edit_.2Fetc.2Fkrb5.conf
how to configure the auth_to_local feature. Please note that Kerberos
principals are handled case sensitive here, i.e. if you AD users name
use upper and lower case you have to use the same case at the ssh login
prompt. Alternatively you can add a .k5login file in the users home
directory on the IPA client.
For console login the sssd logs is the best source to figure out what's
going wrong,
HTH
bye,
Sumit
>
>
> >
> > Thx
> >
> > Aly
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list