[Freeipa-users] Very Odd Fedora 21 Auth Issue (Server: IPA 4.1.0)
Sumit Bose
sbose at redhat.com
Tue Jun 23 07:34:00 UTC 2015
On Tue, Jun 23, 2015 at 05:24:32PM +1000, craig.redhat at shakenautomotive.com.au wrote:
> Hi,
> This is one odd issue?!
>
> Red Hat Enterprise Linux 7.1
>
> #Server Side
> Red Hat Enterprise Linux Server release 7.1 (Maipo)
> ipa-server-4.1.0-18.el7_1.3.x86_64
>
> #Client side
> Fedora release 21 (Twenty One)
> * freeipa-client-4.1.4-1.fc21.x86_64
> * sssd-client-1.12.4-3.fc21.x86_64
>
>
> Issue:
> User cannot login to their PC
>
> Error: /var/log/secure
> Jun 23 17:08:48 johnpc sshd[3591]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john
> Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john
> Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): received for user
> john: 7 (Authentication failure)
>
> However:
> 1. Kerberous works;
> kinit john
> john at johnpc /etc/pam.d> klist
> Ticket cache: KEYRING:persistent:365:365
> Default principal: john at EXAMPLE.EXAMPLEAUS.COM.AU
>
> Valid starting Expires Service principal
> 23/06/15 16:49:30 24/06/15 16:49:28
> krbtgt/EXAMPLE.EXAMPLEAUS.COM.AU at EXAMPLE.EXAMPLEAUS.COM.AU
>
> 2. LDAP works;
> john at johnpc ~> getent passwd john
> john:x:365:132::/home/john:/bin/bash
>
> 3. ssh to IPA server works with a password (so not relying on the kerberous
> ticket);
> john at erio ~> ssh john at sysvm-ipa1
> john at sysvm-ipa1's password:
> Last login: Tue Jun 23 16:50:02 2015 from johnpc.example.exampleaus.com.au
>
>
> Any advice would be greatly appreciated?
I think we need sssd logs here, please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details. We need
at least logs for the PAM responder ([pam] section in sssd.conf) and
the backend ([domain/...] section in sssd.conf).
bye,
Sumit
>
> Regards,
>
> Craig
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list