[Freeipa-users] Users can't login on some systems.

Chris Mohler cmohler at oberlin.edu
Thu Aug 20 23:39:07 UTC 2015 

Wow That totally fixed it!

Thanks again.

I simply stopped the sssd service removed the db and then started the 
sssd service again. My first attempt to login took a few seconds and was 
successful. I did not have to reinstall the client or even reboot the 
system.

FWIW I put the commands in a script

sssflush.sh

/sbin/initctl stop sssd
rm /var/lib/sss/db/*
/sbin/initctl start sssd

I've needed to do this a few times before.
A note to fellow Ubuntu users "service sssd stop" doesn't work when you 
put it in a script. Use /sbin/initctl instead.

-Chris

On 8/20/2015 7:19 PM, Prasun Gera wrote:
> Did you clear out /var/lib/sss/db between re-installation of the 
> client? There was a bug which might not have been fixed downstream yet.
>
> On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler <cmohler at oberlin.edu 
> <mailto:cmohler at oberlin.edu>> wrote:
>
>     Hi List,
>     I'm still fairly new to this list and administrating FreeIPA.
>
>     I had a very old version of freeipa and had all sorts of odd
>     issues with it. I had 47 ubuntu clients attached to the domain.
>
>     I setup a newer freeipa server version: 4.1.4
>     I recreated all my user accounts by hand I did not migrate any of
>     them.
>     I then removed the 47 clients from the old domain
>
>     #ipa-client-install --uninstall
>
>     Then I reinstalled each client
>
>     #ipa-client-install --domain=cs.oberlin.edu
>     <http://cs.oberlin.edu> --realm=CS.OBERLIN.EDU
>     <http://CS.OBERLIN.EDU> -p admin -W --hostname `hostname` -N
>
>     it finished without errors on all my systems.
>
>     two of my systems will not let any ipa users login via ssh or the
>     console. the rest of them work fine.
>     After keying in the password I get the following.
>
>     Permission denied, please try again.
>
>     id (username) shows the UID and GID and Groups correctly.
>     getent passwd shows only my local accounts I don't have enumerate on.
>     kinit also works.
>
>     _my auth.log shows this_
>     pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>     tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
>     pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
>     tty=ssh ruser= rhost=132.162.201.237 user=HIDDEN
>     pam_sss(sshd:auth): received for user : 7 (Authentication failure)
>
>     I know it's the correct password as it works on the other clients.
>
>     _I get this in krb5_child.log_
>
>     [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241]
>     uid [66133] gid [100] validate [true] enterprise principal [false]
>     offline [false] UPN [@CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX]
>     keytab: [/etc/krb5.keytab]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [set_lifetime_options] (0x0100): Cannot read
>     [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME]
>     from environment.
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set
>     to [true]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
>     [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
>     <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [match_principal] (0x1000): Principal matched to the sample
>     (host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
>     <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>).
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [check_fast_ccache] (0x0200): FAST TGT is still valid.
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
>     (0x0400): Will perform online auth
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [tgt_req_child] (0x1000): Attempting to get a TGT
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [get_and_save_tgt] (0x0400): Attempting kinit for realm
>     [CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [validate_tgt] (0x0400): TGT verified using key for
>     [host/occs.cs.oberlin.edu at CS.OBERLIN.EDU
>     <mailto:host/occs.cs.oberlin.edu at CS.OBERLIN.EDU>].
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [become_user] (0x0200): Trying to become user [66133][100].
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]]
>     [k5c_send_data] (0x0200): Received error code 0
>     (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main]
>     (0x0400): krb5_child completed successfully
>     (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main]
>     (0x0400): krb5_child started.
>     (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
>     [unpack_buffer] (0x1000): total buffer size: [127]
>     (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]]
>     [unpack_buffer] (0x0100): cmd [241] uid [66133] gid [100] validate
>     [true] enterprise principal [false] offline [false] UPN
>     [@CS.OBERLIN.EDU <http://CS.OBERLIN.EDU>]
>
>     _sssd.conf on the broken machine_
>
>     [domain/cs.oberlin.edu <http://cs.oberlin.edu>]
>     debug_level=8
>     cache_credentials = True
>     krb5_store_password_if_offline = True
>     ipa_domain = cs.oberlin.edu <http://cs.oberlin.edu>
>     id_provider = ipa
>     auth_provider = ipa
>     access_provider = ipa
>     ipa_hostname = occs.cs.oberlin.edu <http://occs.cs.oberlin.edu>
>     chpass_provider = ipa
>     ipa_server = _srv_, ipa1.cs.oberlin.edu <http://ipa1.cs.oberlin.edu>
>     ldap_tls_cacert = /etc/ipa/ca.crt
>     [sssd]
>     services = nss, pam, ssh
>     config_file_version = 2
>     debug_level=8
>     domains = cs.oberlin.edu <http://cs.oberlin.edu>
>     [nss]
>     debug_level=8
>     [pam]
>     debug_level=8
>     [sudo]
>
>     [autofs]
>
>     [ssh]
>     debug_level=8
>     [pac]
>
>     _The broken systems sssd_nss.log
>
>     _[nss_cmd_getpwnam_search] (0x0400): Returning info for user
>     [HIDDEN at cs.oberlin.edu <mailto:HIDDEN at cs.oberlin.edu>]
>     [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with
>     input [HIDDEN].
>     [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN'
>     matched without domain, user is HIDDEN
>     [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default
>     domain [(null)]
>     [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
>     [HIDDEN] from [<ALL>]
>     [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative
>     cache for [NCE/USER/cs.oberlin.edu/HIDDEN
>     <http://cs.oberlin.edu/HIDDEN>]
>     [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info
>     for [HIDDEN at cs.oberlin.edu <mailto:HIDDEN at cs.oberlin.edu>]
>     [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
>
>     Any suggestions on how I can get users to login to this machine?
>
>     Thanks,
>     -Chris
>
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150820/d66d1815/attachment.htm>

More information about the Freeipa-users mailing list