[Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
Rob Crittenden
rcritten at redhat.com
Mon Mar 31 22:52:32 UTC 2014
Todd Maugh wrote:
> HBAC rules are set to allow_all enabled
Ok. I'd start with increasing the sssd log level and see what it says.
I gather that basic nss works since you can kinit as other users.
You may want to check for SELinux AVCs as well.
rob
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Monday, March 31, 2014 3:44 PM
> To: Todd Maugh; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
>
> Todd Maugh wrote:
>> Hi,
>>
>> I have a rhel5 client I had problems with my IPA environment and had
>> to rebuild
>>
>> I'm on the latest version of IPA with a red hat 6 server
>>
>> I successfully enrolled the client to the new server (same domain,
>> same
>> realm) I had removed all old certs, sysrestores, and ipa/default.conf
>>
>> I can ssh to the box as root, and then either su or kinit to any IPA
>> user with out issue
>>
>> But when I try to ssh as the ipauser to the box it gives me permission
>> denied, please try again
>>
>> I cleared out the sssd cache and restarted sssd
>>
>> Is there something I'm missing or a log to check?
>>
>> I need to worked this out before I move forward enrolling other
>> previously enrolled clients.
>
> Check your HBAC rules.
>
> rob
>
More information about the Freeipa-users
mailing list