[Freeipa-users] Users can't login on some systems.

Thu Aug 20 23:19:51 UTC 2015

Did you clear out /var/lib/sss/db between re-installation of the client?
There was a bug which might not have been fixed downstream yet.

On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler <cmohler at oberlin.edu> wrote:

> Hi List,
> I'm still fairly new to this list and administrating FreeIPA.
>
> I had a very old version of freeipa and had all sorts of odd issues with
> it. I had 47 ubuntu clients attached to the domain.
>
> I setup a newer freeipa server version: 4.1.4
> I recreated all my user accounts by hand I did not migrate any of them.
> I then removed the 47 clients from the old domain
>
> #ipa-client-install --uninstall
>
> Then I reinstalled each client
>
> #ipa-client-install --domain=cs.oberlin.edu --realm=CS.OBERLIN.EDU -p
> admin -W --hostname `hostname` -N
>
> it finished without errors on all my systems.
>
> two of my systems will not let any ipa users login via ssh or the console.
> the rest of them work fine.
> After keying in the password I get the following.
>
> Permission denied, please try again.
>
> id (username) shows the UID and GID and Groups correctly.
> getent passwd shows only my local accounts I don't have enumerate on.
> kinit also works.
>
> *my auth.log shows this*
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
> ruser= rhost=132.162.201.237  user=HIDDEN
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
> ruser= rhost=132.162.201.237 user=HIDDEN
> pam_sss(sshd:auth): received for user : 7 (Authentication failure)
>
> I know it's the correct password as it works on the other clients.
>
> *I get this in krb5_child.log*
>
> [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241] uid
> [66133] gid [100] validate [true] enterprise principal [false] offline
> [false] UPN [@CS.OBERLIN.EDU]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX] keytab:
> [/etc/krb5.keytab]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [
> host/occs.cs.oberlin.edu at CS.OBERLIN.EDU]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [match_principal]
> (0x1000): Principal matched to the sample (
> host/occs.cs.oberlin.edu at CS.OBERLIN.EDU).
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400):
> Will perform online auth
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [CS.OBERLIN.EDU]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [validate_tgt]
> (0x0400): TGT verified using key for [
> host/occs.cs.oberlin.edu at CS.OBERLIN.EDU].
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [become_user]
> (0x0200): Trying to become user [66133][100].
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_send_data]
> (0x0200): Received error code 0
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400):
> krb5_child completed successfully
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main] (0x0400):
> krb5_child started.
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer]
> (0x1000): total buffer size: [127]
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [66133] gid [100] validate [true] enterprise
> principal [false] offline [false] UPN [@CS.OBERLIN.EDU]
>
> *sssd.conf on the broken machine*
>
> [domain/cs.oberlin.edu]
> debug_level=8
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = cs.oberlin.edu
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = occs.cs.oberlin.edu
> chpass_provider = ipa
> ipa_server = _srv_, ipa1.cs.oberlin.edu
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
> debug_level=8
> domains = cs.oberlin.edu
> [nss]
> debug_level=8
> [pam]
> debug_level=8
> [sudo]
>
> [autofs]
>
> [ssh]
> debug_level=8
> [pac]
>
>
>
> *The broken systems sssd_nss.log *[nss_cmd_getpwnam_search] (0x0400):
> Returning info for user [HIDDEN at cs.oberlin.edu]
> [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input
> [HIDDEN].
> [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN' matched
> without domain, user is HIDDEN
> [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain
> [(null)]
> [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [HIDDEN] from
> [<ALL>]
> [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for
> [NCE/USER/cs.oberlin.edu/HIDDEN]
> [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [
> HIDDEN at cs.oberlin.edu]
> [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
>
> Any suggestions on how I can get users to login to this machine?
>
> Thanks,
> -Chris
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150820/f8a9b0ec/attachment.htm>