[Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
nathan at nathanpeters.com
nathan at nathanpeters.com
Wed Feb 25 19:58:56 UTC 2015
I am having trouble logging in with an IPA user on Solaris 10. The
machine is able to correctly initialize tickets using kinit. The issue
appears to be PAM related. I am using FreeIPA 4.1.3.
I have tried to follow the instructions here as best I can :
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
Here is my kinit and klist tests
--------------------------------
$ kinit ipauser1
Password for ipauser1 at IPADOMAIN.NET:
[07:45 PM] ipaclient5-sandbox-atdev-van:/var/log$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ipauser1 at IPADOMAIN.NET
Valid starting Expires Service principal
02/25/15 19:45:10 02/26/15 19:45:10 krbtgt/IPADOMAIN.NET at IPADOMAIN.NET
renew until 03/04/15 19:45:10
Here is the last 2 lines of the output of getent passwd showing my ipa
admin and user
-------------------------------------------------------------------------------------
admin:x:375200000:375200000:Administrator:/home/admin:/bin/bash
ipauser1:x:375200006:375200006:ipa user1:/home/ipauser1:/bin/bash
However, this is what happens when I try to login as 'ipauser1'. On the
console I am prompted with 'Password:' I enter the valid password, and
suddenly Putty pops up a window 'Server unexpectedly closed network
connection'. If I try to login as ipauser1 at ipadomain.net it still fails,
but in a different way. The putty window stays open and I get an 'Access
denied' message and am prompted for the password again:
Logs with 'ipauser1'
--------------------
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.info] Connection from 10.5.5.57 port 57607 on 10.21.19.16 port
22
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: Client protocol version 2.0; client software
version PuTTY_Release_0.63
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: no match: PuTTY_Release_0.63
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
[preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: server_input_channel_req: channel 0 request
winadj at putty.projects.tartarus.org reply 1
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_by_channel: session 0 channel 0
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_input_channel_req: session 0 req
winadj at putty.projects.tartarus.org
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: KEX done [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: userauth-request for user ipauser1 service
ssh-connection method none [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: attempt 0 failures 0 [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: PAM: initializing for "ipauser1"
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
781331 auth.debug] PAM[761]: pam_start(sshd,ipauser1,811c170:812b8e0) -
debug = 1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:service)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:user)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:conv)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: PAM: setting PAM_RHOST to "10.5.5.57"
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:rhost)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: PAM: setting PAM_TTY to "ssh"
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:tty)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: userauth-request for user ipauser1 service
ssh-connection method keyboard-interactive [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: attempt 1 failures 0 [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: keyboard-interactive devs [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: auth2_challenge: user=ipauser1 devs= [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: auth2_challenge_start: trying authentication
method 'pam' [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
120752 auth.debug] PAM[763]: pam_set_item(812b8e0:conv)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
690215 auth.debug] PAM[763]: pam_authenticate(812b8e0, 1)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
776247 auth.debug] PAM[763]: pam_get_user(812b8e0, 812b8e0, NULL)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.info] Postponed keyboard-interactive for ipauser1 from
10.5.5.57 port 57607 ssh2 [preauth]
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
120752 auth.debug] PAM[763]: pam_set_item(812b8e0:authtok)
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net last message
repeated 1 time
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start:
user='ipauser1'
Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: server_input_channel_req: channel 0 request
window-change reply 0
Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_by_channel: session 0 channel 0
Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_input_channel_req: session 0 req
window-change
Logs with ipauser1 at ipadomain.net
------------------
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Connection from 10.5.5.57 port 57655 on 10.21.19.16 port
22
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: Client protocol version 2.0; client software
version PuTTY_Release_0.63
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: no match: PuTTY_Release_0.63
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
[preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: KEX done [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: userauth-request for user
ipauser1 at ipadomain.net service ssh-connection method none [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: attempt 0 failures 0 [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Invalid user ipauser1 at ipadomain.net from 10.5.5.57
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] input_userauth_request: invalid user
ipauser1 at ipadomain.net [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: PAM: initializing for "ipauser1 at ipadomain.net"
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
781347 auth.debug] PAM[765]:
pam_start(sshd,ipauser1 at ipadomain.net,811c170:812d610) - debug = 1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:service)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:user)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:conv)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: PAM: setting PAM_RHOST to "10.5.5.57"
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:rhost)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: PAM: setting PAM_TTY to "ssh"
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:tty)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: userauth-request for user
ipauser1 at ipadomain.net service ssh-connection method keyboard-interactive
[preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: attempt 1 failures 0 [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: keyboard-interactive devs [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge: user=ipauser1 at ipadomain.net
devs= [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge_start: trying authentication
method 'pam' [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
269347 auth.debug] PAM[767]: pam_set_item(812d610:conv)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
690217 auth.debug] PAM[767]: pam_authenticate(812d610, 1)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
896806 auth.debug] PAM[767]: pam_get_user(812d610, 812d610, NULL)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Postponed keyboard-interactive for invalid user
ipauser1 at ipadomain.net from 10.5.5.57 port 57655 ssh2 [preauth]
Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: server_input_channel_req: channel 0 request
winadj at putty.projects.tartarus.org reply 1
Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_by_channel: session 0 channel 0
Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_input_channel_req: session 0 req
winadj at putty.projects.tartarus.org
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
269347 auth.debug] PAM[767]: pam_set_item(812d610:authtok)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net last message
repeated 1 time
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
account present for user
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
account present for user
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
219349 auth.debug] pam_unix_auth: user ipauser1 at ipadomain.net not found
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
account present for user
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
269347 auth.debug] PAM[767]: pam_set_item(812d610:authtok)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.error] error: PAM: No account present for user for illegal
user ipauser1 at ipadomain.net from 10.5.5.57
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Failed keyboard-interactive/pam for invalid user
ipauser1 at ipadomain.net from 10.5.5.57 port 57655 ssh2
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: userauth-request for user
ipauser1 at ipadomain.net service ssh-connection method keyboard-interactive
[preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: attempt 2 failures 1 [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: keyboard-interactive devs [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge: user=ipauser1 at ipadomain.net
devs= [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge_start: trying authentication
method 'pam' [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
531491 auth.debug] PAM[768]: pam_set_item(812d610:conv)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
561236 auth.debug] PAM[768]: pam_authenticate(812d610, 1)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
251960 auth.debug] PAM[768]: pam_get_user(812d610, 812d610, NULL)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Postponed keyboard-interactive for invalid user
ipauser1 at ipadomain.net from 10.5.5.57 port 57655 ssh2 [preauth]
Here is my /etc/krb5.conf file
------------------------------
[libdefaults]
default_realm = IPADOMAIN.NET
dns_lookup_kdc = true
[realms]
IPADOMAIN.NET = {
kdc = 10.21.19.20
admin_server = 10.21.19.20
}
[domain_realm]
.ipadomain.net = IPADOMAIN.NET
ipadomain.net = IPADOMAIN.NET
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
Here is my /etc/pam.conf
(please note that some stuff is commented out for troubleshooting. I have
tried with everything uncommented and it doesn't work. I have also tried
following about 10 different ways to configure PAM that I have seen in
other forum posts where people were having Solaris troubles and have not
found the magic combination yet.
------------------------
#
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
#login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 debug
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
#rlogin auth requisite pam_authtok_get.so.1
#rlogin auth required pam_dhkeys.so.1
#rlogin auth required pam_unix_cred.so.1
#rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
#krlogin auth required pam_unix_cred.so.1
#krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
#rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
#krsh auth required pam_unix_cred.so.1
#krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
#ktelnet auth required pam_unix_cred.so.1
#ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
#ppp auth requisite pam_authtok_get.so.1
#ppp auth required pam_dhkeys.so.1
#ppp auth required pam_unix_cred.so.1
#ppp auth required pam_unix_auth.so.1
#ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth required pam_unix_cred.so.1 debug
other auth sufficient pam_krb5.so.1 debug
other auth required pam_unix_auth.so.1 debug
#
# passwd command (explicit because of a different authentication module)
#
#passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
#cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1 debug
other account required pam_unix_account.so.1 debug
#other account sufficient pam_ldap.so.1
other account required pam_krb5.so.1 debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_mkhomedir.so.1 skel=/etc/skel/ umask=0027
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
#other password required pam_dhkeys.so.1
#other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1 debug
other password required pam_authtok_store.so.1
More information about the Freeipa-users
mailing list