[Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Dmitri Pal
dpal at redhat.com
Thu Jan 2 21:51:14 UTC 2014
On 01/02/2014 04:45 PM, Genadi Postrilko wrote:
> Its a newly installed IPA Server, haven't added any Rules.
>
> The relevant output from /var/log/secure :
>
> Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100
> Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user
> Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100
> Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user
> Administrator at ADDC.COM <mailto:Administrator at ADDC.COM> from
> 192.168.227.100
> Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid
> user Administrator at ADDC.COM <mailto:Administrator at ADDC.COM>
> Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.227.100
> Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error
> retrieving information about user Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM>
> Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user
> Administrator at ADDC.COM <mailto:Administrator at ADDC.COM> from
> 192.168.227.100 port 62484 ssh2
>
>
>
> 2014/1/2 Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>
>
> Genadi Postrilko wrote:
>
> Hi all.
>
> I have a running IPA Server (3.0.0-37) on RHEL 6.2.
> I'm trying to create Trust between IPA server and AD (In
> different DNS
> domains). I followed the red hat guide
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf.
>
> When i completed the needed step to create the trust and
> retrieved a krb
> ticket from the AD server:
>
> [root at ipaserver ~]# kinit Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM>
> <mailto:Administrator at ADDC.COM <mailto:Administrator at ADDC.COM>>
> Password for Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM> <mailto:Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM>>:
>
> [root at ipaserver ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM> <mailto:Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM>>
>
>
> Valid starting Expires Service principal
> 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/ADDC.COM at ADDC.COM
> <mailto:ADDC.COM at ADDC.COM>
> <mailto:ADDC.COM at ADDC.COM <mailto:ADDC.COM at ADDC.COM>>
>
> renew until 01/03/14 12:20:30
>
> But when i try to connect to the IPA server via SHH (Putty) i get
> "Access denied" message:
>
> login as: Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM> <mailto:Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM>>
> Administrator at ADDC.COM@192.168.227.128
> <http://192.168.227.128> <http://192.168.227.128>'s password:
>
> Access denied
>
> Any ideas on what i could have done wrong in the process of
> creating the
> trust?
>
>
> I'd check the sssd logs and /var/log/secure.
>
> Do you have any HBAC rules?
>
> rob
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Looks an error similar to what I see in the other thread.
Unfortunately be might need to wait till Monday for Alexander, Sumit and
Jakub to come back and provide help.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140102/76846f87/attachment.htm>
More information about the Freeipa-users
mailing list