[Freeipa-users] Admin password not accepted during replica install

Sat Aug 1 21:05:08 UTC 2015

I even checked working version (IPA clusters) and they don't even have
this AllowGroups.

Am I missing something ?

2015-08-01 22:52 GMT+02:00 Janelle <janellenicole80 at gmail.com>:
> which points to the configuration of sssd.conf and/or nsswitch.conf
> It is in there. If you say there are no AllowGroups in sshd, it has to be in
> one of those 2 places.
>
> ~J
>
>
> On 8/1/15 1:26 PM, Matt . wrote:
>>
>> kinit admin works perfectly, that is such strange.
>>
>> 2015-08-01 22:15 GMT+02:00 Janelle <janellenicole80 at gmail.com>:
>>>
>>> lastly -- on the master - do you get the same error if you "kinit admin"?
>>> ~J
>>>
>>>
>>> On 8/1/15 1:05 PM, Matt . wrote:
>>>>
>>>> This actually the most important part, and the GSS Failure concerns me:
>>>>
>>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>>> debug2: key: /root/.ssh/id_rsa ((nil)),
>>>> debug2: key: /root/.ssh/id_dsa ((nil)),
>>>> debug2: key: /root/.ssh/id_ecdsa ((nil)),
>>>> debug2: key: /root/.ssh/id_ed25519 ((nil)),
>>>> debug1: Authentications that can continue:
>>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>>> debug3: start over, passed a different list
>>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>>> debug3: preferred
>>>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
>>>> debug3: authmethod_lookup gssapi-keyex
>>>> debug3: remaining preferred:
>>>> gssapi-with-mic,publickey,keyboard-interactive,password
>>>> debug3: authmethod_is_enabled gssapi-keyex
>>>> debug1: Next authentication method: gssapi-keyex
>>>> debug1: No valid Key exchange context
>>>> debug2: we did not send a packet, disable method
>>>> debug3: authmethod_lookup gssapi-with-mic
>>>> debug3: remaining preferred: publickey,keyboard-interactive,password
>>>> debug3: authmethod_is_enabled gssapi-with-mic
>>>> debug1: Next authentication method: gssapi-with-mic
>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>> information
>>>> No Kerberos credentials available
>>>>
>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>> information
>>>> No Kerberos credentials available
>>>>
>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>> information
>>>>
>>>>
>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>> information
>>>> No Kerberos credentials available
>>>>
>>>> debug2: we did not send a packet, disable method
>>>> debug3: authmethod_lookup publickey
>>>> debug3: remaining preferred: keyboard-interactive,password
>>>> debug3: authmethod_is_enabled publickey
>>>> debug1: Next authentication method: publickey
>>>> debug1: Trying private key: /root/.ssh/id_rsa
>>>> debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
>>>> debug1: Trying private key: /root/.ssh/id_dsa
>>>> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
>>>> debug1: Trying private key: /root/.ssh/id_ecdsa
>>>> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
>>>> debug1: Trying private key: /root/.ssh/id_ed25519
>>>> debug3: no such identity: /root/.ssh/id_ed25519: No such file or
>>>> directory
>>>> debug2: we did not send a packet, disable method
>>>> debug3: authmethod_lookup password
>>>> debug3: remaining preferred: ,password
>>>> debug3: authmethod_is_enabled password
>>>> debug1: Next authentication method: password
>>>> admin at ipa-01.domain.local's password:
>>>> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)
>>>> debug2: we sent a password packet, wait for reply
>>>> debug1: Authentications that can continue:
>>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>>> Permission denied, please try again.
>>>>
>>>> 2015-08-01 22:02 GMT+02:00 Janelle <janellenicole80 at gmail.com>:
>>>>>
>>>>> What is in the logs on the machine that is failing? Can you login to
>>>>> admin
>>>>> from anywhere?  Logs are you best friend.
>>>>> Also, a simply "ssh -vvv" will help.
>>>>>
>>>>> ~J
>>>>>
>>>>>
>>>>> On 8/1/15 12:51 PM, Matt . wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> This didn't fix it yet.
>>>>>>
>>>>>> I wonder if there are any checks I can do as in the very past I was
>>>>>> able to do a simple replica without any issues.
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2015-08-01 21:34 GMT+02:00 Janelle <janellenicole80 at gmail.com>:
>>>>>>>
>>>>>>> Double check you do not have "AllowGroups" set in your
>>>>>>> /etc/ssh/sshd_config
>>>>>>> file. If you do, add the "admins" group.
>>>>>>>
>>>>>>> Also, make sure on the master, that the /etc/nsswitch.conf was
>>>>>>> properly
>>>>>>> updated. Several server installs I have done, have left off the "sss"
>>>>>>> for
>>>>>>> "passwd", "group" and "shadow".
>>>>>>>
>>>>>>> passwd:     files sss
>>>>>>> shadow:     files sss
>>>>>>> group:      files sss
>>>>>>>
>>>>>>> I bet one of those will fix your problem. Restart sssd and/of sshd if
>>>>>>> you
>>>>>>> have to make changes.
>>>>>>>
>>>>>>> ~Janelle
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 8/1/15 10:13 AM, Matt . wrote:
>>>>>>>>
>>>>>>>> Hi Guys,
>>>>>>>>
>>>>>>>> I'm doing a replica install there my admin password for the SSH
>>>>>>>> check
>>>>>>>> to the master is not accepted.
>>>>>>>>
>>>>>>>> The password is not expired, I can use it on the GUI and even
>>>>>>>> changing
>>>>>>>> it in the GUI doesn't fix this.
>>>>>>>>
>>>>>>>> What can I check ?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>