[Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

Dmitri Pal dpal at redhat.com
Sun Jan 5 00:21:21 UTC 2014 

On 01/04/2014 06:13 PM, Genadi Postrilko wrote:
> Output from /var/log/secure:
>
> Jan  4 15:03:02 ipaserver sshd[5958]: Invalid user
> Administrator at ADDC.COM <mailto:Administrator at ADDC.COM> from 192.168.227.1
> Jan  4 15:03:02 ipaserver sshd[5959]: input_userauth_request: invalid
> user Administrator at ADDC.COM <mailto:Administrator at ADDC.COM>
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.227.1
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_succeed_if(sshd:auth): error
> retrieving information about user Administrator at ADDC.COM
> <mailto:Administrator at ADDC.COM>
> Jan  4 15:03:08 ipaserver sshd[5958]: Failed password for invalid user
> Administrator at ADDC.COM <mailto:Administrator at ADDC.COM> from
> 192.168.227.1 port 53125 ssh2

I do not see SSSD doing auth.
Is pam_sss configured for PAM for SSH?
See more details here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#installing-host-keys
http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf

I do not see simple HowTo to configure SSH to use SSSD for cases when
ipa-client-install is not used. May be we should provide one.
The expectation is:
You install IPA, create trust, join client to IPA using
ipa-client-install and it configures everything you need.
The order of last two steps can be reversed but the result should be the
same.

>
>
>
> 2014/1/3 Genadi Postrilko <genadipost at gmail.com
> <mailto:genadipost at gmail.com>>
>
>     Here are the other logs as well (ldap_child.log, sssd_pac.log,
>     sssd_ssh.log).
>
>     https://gist.github.com/anonymous/8242061
>
>     I attempted to log in (as Administrator at ADDC.COM
>     <mailto:Administrator at ADDC.COM>) at 9:04.
>
>     Thanks for the help.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140104/eccad090/attachment.htm>

More information about the Freeipa-users mailing list