[Freeipa-users] Users can't login on some systems.

Chris Mohler cmohler at oberlin.edu
Thu Aug 20 23:29:48 UTC 2015 

Thanks for the reply,
I did not clear out /var/lib/sss/db before re-installation.

I'll give it a try.
I'll stop the service clear the db then restart and see if that helps.

If not I'll uninstall the client remove the db and then reinstall the 
client.

Unless it's too late and anyone has a better idea.

-Chris

On 8/20/2015 7:19 PM, Prasun Gera wrote:
> Did you clear out /var/lib/sss/db between re-installation of the 
> client? There was a bug which might not have been fixed downstream yet.
>
> On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler <cmohler at oberlin.edu 
> <mailto:cmohler at oberlin.edu>> wrote:
>
>     Hi List,
>     I'm still fairly new to this list and administrating FreeIPA.
>
>     I had a very old version of freeipa and had all sorts of odd
>     issues with it. I had 47 ubuntu clients attached to the domain.
>
>     I setup a newer freeipa server version: 4.1.4
>     I recreated all my user accounts by hand I did not migrate any of
>     them.
>     I then removed the 47 clients from the old domain
>
>     #ipa-client-install --uninstall
>
>     Then I reinstalled each client
>
>     #ipa-client-install --domain=cs.oberlin.edu
>     <http://cs.oberlin.edu> --realm=CS.OBERLIN.EDU
>     <http://CS.OBERLIN.EDU> -p admin -W --hostname `hostname` -N
>
>     it finished without errors on all my systems.
>
>     two of my systems will not let any ipa users login via ssh or the
>     console. the rest of them work fine.
>     After keying in the password I get the following.
>
>     Permission denied, please try again.
>
>     id (username) shows the UID and GID and Groups correctly.
>     getent passwd shows only my local accounts I don't have enumerate on.
>     kinit also works.
>
>     _my auth.log shows this_
>     pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>     tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
>     pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
>     tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
>     pam_sss(sshd:auth): received for user : 7 (Authentication failure)
>
>     I know it's the correct password as it works on the other clients.
>
>     _I get this in krb5_child.log_
>
>     [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241]
>     uid [66133] gid [100] validate [true] enterprise principal [false]
>     offline [false] UPN [@CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX]
>     keytab: [/etc/krb5.keytab]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [set_lifetime_options] (0x0100): Cannot read
>     [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME]
>     from environment.
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set
>     to [true]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
>     [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
>     <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [match_principal] (0x1000): Principal matched to the sample
>     (host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
>     <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>).
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [check_fast_ccache] (0x0200): FAST TGT is still valid.
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
>     (0x0400): Will perform online auth
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [tgt_req_child] (0x1000): Attempting to get a TGT
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [get_and_save_tgt] (0x0400): Attempting kinit for realm
>     [CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [validate_tgt] (0x0400): TGT verified using key for
>     [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
>     <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>].
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [become_user] (0x0200): Trying to become user [66133][100].
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [k5c_send_data] (0x0200): Received error code 0
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
>     (0x0400): krb5_child completed successfully
>     (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main]
>     (0x0400): krb5_child started.
>     (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
>     [unpack_buffer] (0x1000): total buffer size: [127]
>     (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
>     [unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate
>     [true] enterprise principal [false] offline [false] UPN
>     [@CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
>
>     _sssd.conf on the broken machine_
>
>     [domain/cs.oberlin.edu <http://cs.oberlin.edu>]
>     debug_level=8
>     cache_credentials = True
>     krb5_store_password_if_offline = True
>     ipa_domain = cs.oberlin.edu <http://cs.oberlin.edu>
>     id_provider = ipa
>     auth_provider = ipa
>     access_provider = ipa
>     ipa_hostname = occs.cs.oberlin.edu <http://occs.cs.oberlin.edu>
>     chpass_provider = ipa
>     ipa_server = _srv_, ipa1.cs.oberlin.edu <http://ipa1.cs.oberlin.edu>
>     ldap_tls_cacert = /etc/ipa/ca.crt
>     [sssd]
>     services = nss, pam, ssh
>     config_file_version = 2
>     debug_level=8
>     domains = cs.oberlin.edu <http://cs.oberlin.edu>
>     [nss]
>     debug_level=8
>     [pam]
>     debug_level=8
>     [sudo]
>
>     [autofs]
>
>     [ssh]
>     debug_level=8
>     [pac]
>
>     _The broken systems sssd_nss.log
>
>     _[nss_cmd_getpwnam_search] (0x0400): Returning info for user
>     [HIDDEN at cs.oberlin.edu <mailto:HIDDEN at cs.oberlin.edu>]
>     [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with
>     input [HIDDEN].
>     [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN'
>     matched without domain, user is HIDDEN
>     [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default
>     domain [(null)]
>     [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
>     [HIDDEN] from [<ALL>]
>     [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative
>     cache for [NCE/USER/cs.oberlin.edu/HIDDEN
>     <http://cs.oberlin.edu/HIDDEN>]
>     [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info
>     for [HIDDEN at cs.oberlin.edu <mailto:HIDDEN at cs.oberlin.edu>]
>     [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
>
>     Any suggestions on how I can get users to login to this machine?
>
>     Thanks,
>     -Chris
>
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150820/f449a0f5/attachment.htm>

More information about the Freeipa-users mailing list