[Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
Dmitri Pal
dpal at redhat.com
Thu Feb 26 22:12:13 UTC 2015
On 02/26/2015 01:15 PM, nathan at nathanpeters.com wrote:
>> On 02/25/2015 04:37 PM, nathan at nathanpeters.com wrote:
>>>> It does not seem to recognize the user in the secan attempt but the
>>>> first attempt seems to authenticate and then disconnect.
>>>> I do not see trace from accounting session but I suspect that your pam
>>>> stack does not authorize authenticated user.
>>>> Try to allow all authenticated users first. This will prove that it is
>>>> a
>>>> pam stack accounting phase configuration issue.
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go To http://freeipa.org for more info on the project
>>>>
>>> How do I allow all authenticated users? In the freeIPA domain I have a
>>> rule 'allow_all' that allows any user to connect to any system on any
>>> service. This is working fine for linux clients.
>>>
>>> I assume you mean to do it on the Solaris machine? I don't have any
>>> users
>>> specifically blocked, ie, there is nothing in my sshd_config file that
>>> is
>>> limiting the users and groups that can login. Eg, I've got no
>>> 'AllowUsers' lines or anything like that. I've even got PermitRootLogin
>>> set to yes and have tested that root can login.
>>>
>>>
>>>
>>>
>> other account required pam_permit.so
>>
>> and comment other pam modules in the section:
>>
>> Default definition for Account management
>> # Used when service name is not explicitly mentioned for account
>> management
>> #
>> other account requisite pam_roles.so.1 debug
>> other account required pam_unix_account.so.1 debug
>> #other account sufficient pam_ldap.so.1
>> other account required pam_krb5.so.1 debug
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
> pam_permit does not exist in Solaris 10 so I cannot use that to test. The
> only way I could break down where the error is happening is to restore to
> a completely default pam.conf and add the krb5.so entries 1 at a time.
>
> The first entry was added fine in the login section although I noted that
> the 'try_first_pass' option also does not exist in Solaris, so not sure
> why the guide for Solaris is saying to use that:
> login auth sufficient pam_krb5.so.1
>
> The following entry is what broke the system :
> other auth sufficient pam_krb5.so.1
>
> I placed it in the same place as in the guide (under unix_cred and before
> unix_auth). So we know its the auth thats failing, not the account?
>
> Here is how it broke : root can no longer login through ssh.
>
> I compared the log entries for logins before and after the auth change and
> they are identical up to about line 127.
>
> I noticed that the login that failed threw a strange krb5
> pam_no_module_data error before disconnecting the ssh client.
>
> Here are the 2 logs for reference:
>
> unsuccessful root login
> -----------------------
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1):
> /usr/lib/security/pam_authtok_get.so.1 returned Ignore module
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)=********
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1):
> /usr/lib/security/pam_dhkeys.so.1 returned Ignore module
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 872586 auth.debug] PAM[494]: pam_authenticate(812bf10, 1):
> /usr/lib/security/pam_unix_cred.so.1 returned Ignore module
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 455340 auth.debug] PAM[494]: pam_get_item(812bf10:user)=root
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 395087 auth.debug] PAM[494]:
> pam_get_data(812bf10:SUNW-KRB5-AUTH-DATA)=PAM_NO_MODULE_DATA
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 140038 auth.debug] PAM[494]:
> pam_set_data(812bf10:SUNW-KRB5-AUTH-DATA:2)=812cc20
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 455340 auth.debug] PAM[494]: pam_get_item(812bf10:repository)=NULL
> Feb 26 17:51:57 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[494]: [ID
> 455340 auth.debug] PAM[494]: pam_get_item(812bf10:authtok)=********
>
>
> successful root login
> ---------------------
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 806026 auth.debug] PAM[482]: pam_authenticate(812e218, 1):
> /usr/lib/security/pam_authtok_get.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:authtok)=********
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:repository)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 806026 auth.debug] PAM[482]: pam_authenticate(812e218, 1):
> /usr/lib/security/pam_dhkeys.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 806026 auth.debug] PAM[482]: pam_authenticate(812e218, 1):
> /usr/lib/security/pam_unix_cred.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:authtok)=********
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:repository)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 806026 auth.debug] PAM[482]: pam_authenticate(812e218, 1):
> /usr/lib/security/pam_unix_auth.so.1 returned Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 361950 auth.debug] PAM[482]: pam_authenticate(812e218, 1): final: Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 800047 auth.debug] debug1: do_pam_account: called
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 690203 auth.debug] PAM[482]: pam_acct_mgmt(812e218, 0)
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 130549 auth.debug] PAM[482]: load_modules(812e218,
> pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 149591 auth.debug] PAM[482]: load_function: successful load of
> pam_sm_acct_mgmt
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 130549 auth.debug] PAM[482]: load_modules(812e218,
> pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 149591 auth.debug] PAM[482]: load_function: successful load of
> pam_sm_acct_mgmt
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:auser)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:ruser)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:rhost)=10.5.5.57
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 806026 auth.debug] PAM[482]: pam_acct_mgmt(812e218, 0):
> /usr/lib/security/pam_roles.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 390833 auth.debug] PAM[482]: pam_get_item(812e218:repository)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 330580 auth.debug] PAM[482]:
> pam_get_data(812e218:SUNW-UNIX-AUTHTOK-DATA)=PAM_NO_MODULE_DATA
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 710061 auth.debug] PAM[482]:
> pam_set_data(812e218:SUNW-UNIX-AUTHTOK-DATA:2)=812e880
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 806026 auth.debug] PAM[482]: pam_acct_mgmt(812e218, 0):
> /usr/lib/security/pam_unix_account.so.1 returned Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 361950 auth.debug] PAM[482]: pam_acct_mgmt(812e218, 0): final: Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[482]: [ID
> 804632 auth.debug] PAM[482]: pam_getenvlist(812e218)
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: PAM: num PAM env strings 0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.info] Postponed keyboard-interactive/pam for root from
> 10.5.5.57 port 53885 ssh2 [preauth]
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: do_pam_account: called
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.info] Accepted keyboard-interactive/pam for root from
> 10.5.5.57 port 53885 ssh2
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: monitor_child_preauth: root has been
> authenticated by privileged process
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: monitor_read_log: child log fd closed
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 415390 auth.debug] PAM[480]: pam_set_item(812e218:conv)=8086ff8
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: PAM: establishing credentials
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 690202 auth.debug] PAM[480]: pam_setcred(812e218, 1)
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 259530 auth.debug] PAM[480]: load_modules(812e218,
> pam_sm_setcred)=/usr/lib/security/pam_authtok_get.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 985081 auth.debug] PAM[480]: load_function: successful load of
> pam_sm_setcred
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 259530 auth.debug] PAM[480]: load_modules(812e218,
> pam_sm_setcred)=/usr/lib/security/pam_dhkeys.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 985081 auth.debug] PAM[480]: load_function: successful load of
> pam_sm_setcred
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 259530 auth.debug] PAM[480]: load_modules(812e218,
> pam_sm_setcred)=/usr/lib/security/pam_unix_cred.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 985081 auth.debug] PAM[480]: load_function: successful load of
> pam_sm_setcred
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 259530 auth.debug] PAM[480]: load_modules(812e218,
> pam_sm_setcred)=/usr/lib/security/pam_unix_auth.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 985081 auth.debug] PAM[480]: load_function: successful load of
> pam_sm_setcred
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 740490 auth.debug] PAM[480]: pam_setcred(812e218, 1):
> /usr/lib/security/pam_authtok_get.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:authtok)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 740490 auth.debug] PAM[480]: pam_setcred(812e218, 1):
> /usr/lib/security/pam_dhkeys.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:auser)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:rhost)=10.5.5.57
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:tty)=ssh
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:resource)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 740490 auth.debug] PAM[480]: pam_setcred(812e218, 1):
> /usr/lib/security/pam_unix_cred.so.1 returned Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 740490 auth.debug] PAM[480]: pam_setcred(812e218, 1):
> /usr/lib/security/pam_unix_auth.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 361438 auth.debug] PAM[480]: pam_setcred(812e218, 1): final: Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 415390 auth.debug] PAM[480]: pam_set_item(812e218:conv)=8086ff8
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 690202 auth.debug] PAM[480]: pam_open_session(812e218, 0)
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 259530 auth.debug] PAM[480]: load_modules(812e218,
> pam_sm_open_session)=/usr/lib/security/pam_unix_session.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 985081 auth.debug] PAM[480]: load_function: successful load of
> pam_sm_open_session
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:tty)=ssh
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 390817 auth.debug] PAM[480]: pam_get_item(812e218:rhost)=10.5.5.57
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 740490 auth.debug] PAM[480]: pam_open_session(812e218, 0):
> /usr/lib/security/pam_unix_session.so.1 returned Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 361438 auth.debug] PAM[480]: pam_open_session(812e218, 0): final: Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: Entering interactive session for SSH2.
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: server_init_dispatch_20
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: server_input_channel_open: ctype session rchan
> 256 win 16384 max 16384
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: input_session_request
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: channel 0: new [server-session]
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_new: session 0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_open: channel 0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_open: session 0: link with channel 0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: server_input_channel_open: confirm session
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: server_input_channel_req: channel 0 request
> pty-req reply 1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_by_channel: session 0 channel 0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_input_channel_req: session 0 req
> pty-req
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: Allocating pty.
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_pty_req: session 0 alloc /dev/pts/2
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: server_input_channel_req: channel 0 request
> shell reply 1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_by_channel: session 0 channel 0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.debug] debug1: session_input_channel_req: session 0 req shell
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[480]: [ID
> 800047 auth.info] Starting session: shell on pts/2 for root from 10.5.5.57
> port 53885
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 415422 auth.debug] PAM[484]: pam_set_item(812e218:conv)=8086ff8
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 800047 auth.debug] debug1: PAM: reinitializing credentials
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 690204 auth.debug] PAM[484]: pam_setcred(812e218, 4)
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 259531 auth.debug] PAM[484]: load_modules(812e218,
> pam_sm_setcred)=/usr/lib/security/pam_authtok_get.so.1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 871562 auth.debug] PAM[484]: pam_setcred(812e218, 4):
> /usr/lib/security/pam_authtok_get.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 871562 auth.debug] PAM[484]: pam_setcred(812e218, 4):
> /usr/lib/security/pam_dhkeys.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 390849 auth.debug] PAM[484]: pam_get_item(812e218:user)=root
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 390849 auth.debug] PAM[484]: pam_get_item(812e218:auser)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 390849 auth.debug] PAM[484]: pam_get_item(812e218:rhost)=10.5.5.57
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 390849 auth.debug] PAM[484]: pam_get_item(812e218:tty)=ssh
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 390849 auth.debug] PAM[484]: pam_get_item(812e218:resource)=NULL
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 871562 auth.debug] PAM[484]: pam_setcred(812e218, 4):
> /usr/lib/security/pam_unix_cred.so.1 returned Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 871562 auth.debug] PAM[484]: pam_setcred(812e218, 4):
> /usr/lib/security/pam_unix_auth.so.1 returned Ignore module
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 362462 auth.debug] PAM[484]: pam_setcred(812e218, 4): final: Success
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 800047 auth.debug] debug1: permanently_set_uid: 0/0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[484]: [ID
> 482209 auth.debug] PAM[484]: pam_getenvlist(812e218)
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[414]: [ID
> 800047 auth.debug] debug1: server_input_channel_req: channel 0 request
> winadj at putty.projects.tartarus.org reply 1
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[414]: [ID
> 800047 auth.debug] debug1: session_by_channel: session 0 channel 0
> Feb 26 17:45:37 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[414]: [ID
> 800047 auth.debug] debug1: session_input_channel_req: session 0 req
> winadj at putty.projects.tartarus.org
> Feb 26 17:45:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[414]: [ID
> 800047 auth.debug] debug1: server_input_channel_req: channel 0 request
> window-change reply 0
> Feb 26 17:45:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[414]: [ID
> 800047 auth.debug] debug1: session_by_channel: session 0 channel 0
> Feb 26 17:45:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[414]: [ID
> 800047 auth.debug] debug1: session_input_channel_req: session 0 req
> window-change
>
>
root is not an ipa managed user so it is purely your pam configuration.
I thought we were trying to figure out why your ipa users are not
handled properly.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list