[Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

Todd Maugh tmaugh at boingo.com
Tue Apr 1 14:17:43 UTC 2014 

I set my debug level to 5 and these were the messages I got. I checked the sshd_config and it seems to be using gsapi what lines should be uncommented or entered or set to true or yes for Pam. I tried the one pam line I saw to true. But it made no difference

-----Original Message-----
From: Sumit Bose [mailto:sbose at redhat.com] 
Sent: Tuesday, April 01, 2014 12:19 AM
To: Todd Maugh
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

On Mon, Mar 31, 2014 at 11:05:18PM +0000, Todd Maugh wrote:
> 
> [root at black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 
> 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] 
> (4): Found address for server idm-master-els.ops.boingo.com: 
> [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished successfully.
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com' as 'working'
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): Going online. Running callbacks.
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
> [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [delayed_online_authentication_callback] (5): Backend is online, starting delayed online authentication.
> (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] 
> [be_get_account_info] (4): Got request for 
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 22:59:01 2014) 
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
> Returned 0,0,Success (Mon Mar 31 23:00:01 2014) 
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:00:01 2014) 
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
> Returned 0,0,Success (Mon Mar 31 23:01:01 2014) 
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:01:01 2014) 
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
> Returned 0,0,Success (Mon Mar 31 23:02:01 2014) 
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:02:01 2014) 
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
> Returned 0,0,Success (Mon Mar 31 23:03:01 2014) 
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:03:01 2014) 
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
> Returned 0,0,Success

The log does not show any authentication or PAM related activities.
Please increase the debug_level and check for PAM related messages like e.g. "[pam_print_data] (0x0100): command: PAM_AUTHENTICATE".

If there are no such messages, please check your PAM configuration as Dmitri suggested.

HTH

bye,
Sumit

> 
> I see this in the sssd Logs  but still not authenticating
> 
> will check out AVC and SELinux very frustrating
> 
> 
> ________________________________________
> From: Rob Crittenden <rcritten at redhat.com>
> Sent: Monday, March 31, 2014 3:52 PM
> To: Todd Maugh; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled 
> and enrolled to new server cant authenticate
> 
> Todd Maugh wrote:
> > HBAC rules are set to allow_all enabled
> 
> Ok. I'd start with increasing the sssd log level and see what it says.
> 
> I gather that basic nss works since you can kinit as other users.
> 
> You may want to check for SELinux AVCs as well.
> 
> rob
> 
> >
> > -----Original Message-----
> > From: Rob Crittenden [mailto:rcritten at redhat.com]
> > Sent: Monday, March 31, 2014 3:44 PM
> > To: Todd Maugh; freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled 
> > and enrolled to new server cant authenticate
> >
> > Todd Maugh wrote:
> >> Hi,
> >>
> >> I have a rhel5 client  I had problems with my IPA environment and 
> >> had to rebuild
> >>
> >> I'm on the latest version of IPA with a red hat 6 server
> >>
> >> I successfully enrolled the client to the new server (same domain, 
> >> same
> >> realm) I had removed all old certs, sysrestores, and 
> >> ipa/default.conf
> >>
> >> I can ssh to the box as root, and then either su or kinit to any 
> >> IPA user with out issue
> >>
> >> But when I try to ssh as the ipauser to the box it gives me 
> >> permission denied, please try again
> >>
> >> I cleared out the sssd cache and restarted sssd
> >>
> >> Is there something I'm missing or a log to check?
> >>
> >> I need to worked this out before I move forward enrolling other 
> >> previously enrolled clients.
> >
> > Check your HBAC rules.
> >
> > rob
> >
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list