[Freeipa-users] Users can't login on some systems.
Chris Mohler
cmohler at oberlin.edu
Thu Aug 20 23:39:07 UTC 2015
Wow That totally fixed it!
Thanks again.
I simply stopped the sssd service removed the db and then started the
sssd service again. My first attempt to login took a few seconds and was
successful. I did not have to reinstall the client or even reboot the
system.
FWIW I put the commands in a script
sssflush.sh
/sbin/initctl stop sssd
rm /var/lib/sss/db/*
/sbin/initctl start sssd
I've needed to do this a few times before.
A note to fellow Ubuntu users "service sssd stop" doesn't work when you
put it in a script. Use /sbin/initctl instead.
-Chris
On 8/20/2015 7:19 PM, Prasun Gera wrote:
> Did you clear out /var/lib/sss/db between re-installation of the
> client? There was a bug which might not have been fixed downstream yet.
>
> On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler <cmohler at oberlin.edu
> <mailto:cmohler at oberlin.edu>> wrote:
>
> Hi List,
> I'm still fairly new to this list and administrating FreeIPA.
>
> I had a very old version of freeipa and had all sorts of odd
> issues with it. I had 47 ubuntu clients attached to the domain.
>
> I setup a newer freeipa server version: 4.1.4
> I recreated all my user accounts by hand I did not migrate any of
> them.
> I then removed the 47 clients from the old domain
>
> #ipa-client-install --uninstall
>
> Then I reinstalled each client
>
> #ipa-client-install --domain=cs.oberlin.edu
> <http://cs.oberlin.edu> --realm=CS.OBERLIN.EDU
> <http://CS.OBERLIN.EDU> -p admin -W --hostname `hostname` -N
>
> it finished without errors on all my systems.
>
> two of my systems will not let any ipa users login via ssh or the
> console. the rest of them work fine.
> After keying in the password I get the following.
>
> Permission denied, please try again.
>
> id (username) shows the UID and GID and Groups correctly.
> getent passwd shows only my local accounts I don't have enumerate on.
> kinit also works.
>
> _my auth.log shows this_
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
> pam_sss(sshd:auth): received for user : 7 (Authentication failure)
>
> I know it's the correct password as it works on the other clients.
>
> _I get this in krb5_child.log_
>
> [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241]
> uid [66133] gid [100] validate [true] enterprise principal [false]
> offline [false] UPN [@CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX]
> keytab: [/etc/krb5.keytab]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [set_lifetime_options] (0x0100): Cannot read
> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME]
> from environment.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set
> to [true]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
> <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [match_principal] (0x1000): Principal matched to the sample
> (host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
> <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>).
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
> (0x0400): Will perform online auth
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [tgt_req_child] (0x1000): Attempting to get a TGT
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [get_and_save_tgt] (0x0400): Attempting kinit for realm
> [CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [validate_tgt] (0x0400): TGT verified using key for
> [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
> <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>].
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [become_user] (0x0200): Trying to become user [66133][100].
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
> [k5c_send_data] (0x0200): Received error code 0
> (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
> (0x0400): krb5_child completed successfully
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main]
> (0x0400): krb5_child started.
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
> [unpack_buffer] (0x1000): total buffer size: [127]
> (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
> [unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate
> [true] enterprise principal [false] offline [false] UPN
> [@CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
>
> _sssd.conf on the broken machine_
>
> [domain/cs.oberlin.edu <http://cs.oberlin.edu>]
> debug_level=8
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = cs.oberlin.edu <http://cs.oberlin.edu>
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = occs.cs.oberlin.edu <http://occs.cs.oberlin.edu>
> chpass_provider = ipa
> ipa_server = _srv_, ipa1.cs.oberlin.edu <http://ipa1.cs.oberlin.edu>
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
> debug_level=8
> domains = cs.oberlin.edu <http://cs.oberlin.edu>
> [nss]
> debug_level=8
> [pam]
> debug_level=8
> [sudo]
>
> [autofs]
>
> [ssh]
> debug_level=8
> [pac]
>
> _The broken systems sssd_nss.log
>
> _[nss_cmd_getpwnam_search] (0x0400): Returning info for user
> [HIDDEN at cs.oberlin.edu <mailto:HIDDEN at cs.oberlin.edu>]
> [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with
> input [HIDDEN].
> [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN'
> matched without domain, user is HIDDEN
> [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default
> domain [(null)]
> [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
> [HIDDEN] from [<ALL>]
> [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative
> cache for [NCE/USER/cs.oberlin.edu/HIDDEN
> <http://cs.oberlin.edu/HIDDEN>]
> [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info
> for [HIDDEN at cs.oberlin.edu <mailto:HIDDEN at cs.oberlin.edu>]
> [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
>
> Any suggestions on how I can get users to login to this machine?
>
> Thanks,
> -Chris
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150820/d66d1815/attachment.htm>
More information about the Freeipa-users
mailing list