[Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

Todd Maugh tmaugh at boingo.com
Tue Apr 1 18:00:28 UTC 2014 

here is my sssd.conf 

[root at black-64.qa ~]# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

domains = ops.boingo.com
[nss]

[pam]

# Example LDAP domain
# [domain/LDAP]
# id_provider = ldap
# auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
# ldap_schema = rfc2307
# ldap_uri = ldap://ldap.mydomain.org
# ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
# enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
# cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
# [domain/AD]
# id_provider = ldap
# auth_provider = krb5
# chpass_provider = krb5
#
# ldap_uri = ldap://your.ad.example.com
# ldap_search_base = dc=example,dc=com
# ldap_schema = rfc2307bis
# ldap_sasl_mech = GSSAPI
# ldap_user_object_class = user
# ldap_group_object_class = group
# ldap_user_home_directory = unixHomeDirectory
# ldap_user_principal = userPrincipalName
# ldap_account_expire_policy = ad
# ldap_force_upper_case_realm = true
#
# krb5_server = your.ad.example.com
# krb5_realm = EXAMPLE.COM
[domain/ops.boingo.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ops.boingo.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, idm-master-els.ops.boingo.com
ldap_tls_cacert = /etc/ipa/ca.crt



________________________________________
From: Todd Maugh
Sent: Tuesday, April 01, 2014 10:58 AM
To: Sumit Bose
Cc: freeipa-users at redhat.com
Subject: RE: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

I am seeing this error in /var/log/secure

[root at black-64.qa ~]# tail /var/log/secure
Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error)
Apr  1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2
Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error)
Apr  1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2
Apr  1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250
Apr  1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250  user=tmaugh
Apr  1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from 10.194.1.250 port 38249 ssh2
Apr  1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened for user root by (uid=0)




________________________________________
From: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> on behalf of Todd Maugh <tmaugh at boingo.com>
Sent: Tuesday, April 01, 2014 7:17 AM
To: Sumit Bose
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

I set my debug level to 5 and these were the messages I got. I checked the sshd_config and it seems to be using gsapi what lines should be uncommented or entered or set to true or yes for Pam. I tried the one pam line I saw to true. But it made no difference

-----Original Message-----
From: Sumit Bose [mailto:sbose at redhat.com]
Sent: Tuesday, April 01, 2014 12:19 AM
To: Todd Maugh
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

On Mon, Mar 31, 2014 at 11:05:18PM +0000, Todd Maugh wrote:
>
> [root at black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31
> 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done]
> (4): Found address for server idm-master-els.ops.boingo.com:
> [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished successfully.
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com' as 'working'
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): Going online. Running callbacks.
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]]
> [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [delayed_online_authentication_callback] (5): Backend is online, starting delayed online authentication.
> (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]]
> [be_get_account_info] (4): Got request for
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 22:59:01 2014)
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
> Returned 0,0,Success (Mon Mar 31 23:00:01 2014)
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:00:01 2014)
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
> Returned 0,0,Success (Mon Mar 31 23:01:01 2014)
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:01:01 2014)
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
> Returned 0,0,Success (Mon Mar 31 23:02:01 2014)
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:02:01 2014)
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
> Returned 0,0,Success (Mon Mar 31 23:03:01 2014)
> [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
> [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:03:01 2014)
> [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
> Returned 0,0,Success

The log does not show any authentication or PAM related activities.
Please increase the debug_level and check for PAM related messages like e.g. "[pam_print_data] (0x0100): command: PAM_AUTHENTICATE".

If there are no such messages, please check your PAM configuration as Dmitri suggested.

HTH

bye,
Sumit

>
> I see this in the sssd Logs  but still not authenticating
>
> will check out AVC and SELinux very frustrating
>
>
> ________________________________________
> From: Rob Crittenden <rcritten at redhat.com>
> Sent: Monday, March 31, 2014 3:52 PM
> To: Todd Maugh; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled
> and enrolled to new server cant authenticate
>
> Todd Maugh wrote:
> > HBAC rules are set to allow_all enabled
>
> Ok. I'd start with increasing the sssd log level and see what it says.
>
> I gather that basic nss works since you can kinit as other users.
>
> You may want to check for SELinux AVCs as well.
>
> rob
>
> >
> > -----Original Message-----
> > From: Rob Crittenden [mailto:rcritten at redhat.com]
> > Sent: Monday, March 31, 2014 3:44 PM
> > To: Todd Maugh; freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled
> > and enrolled to new server cant authenticate
> >
> > Todd Maugh wrote:
> >> Hi,
> >>
> >> I have a rhel5 client  I had problems with my IPA environment and
> >> had to rebuild
> >>
> >> I'm on the latest version of IPA with a red hat 6 server
> >>
> >> I successfully enrolled the client to the new server (same domain,
> >> same
> >> realm) I had removed all old certs, sysrestores, and
> >> ipa/default.conf
> >>
> >> I can ssh to the box as root, and then either su or kinit to any
> >> IPA user with out issue
> >>
> >> But when I try to ssh as the ipauser to the box it gives me
> >> permission denied, please try again
> >>
> >> I cleared out the sssd cache and restarted sssd
> >>
> >> Is there something I'm missing or a log to check?
> >>
> >> I need to worked this out before I move forward enrolling other
> >> previously enrolled clients.
> >
> > Check your HBAC rules.
> >
> > rob
> >
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list