[Freeipa-users] Very Odd Fedora 21 Auth Issue (Server: IPA 4.1.0)

Sumit Bose sbose at redhat.com
Tue Jun 23 07:34:00 UTC 2015 

On Tue, Jun 23, 2015 at 05:24:32PM +1000, craig.redhat at shakenautomotive.com.au wrote:
> Hi, 
> This is one odd issue?!
> 
> Red Hat Enterprise Linux 7.1
> 
> #Server Side
> Red Hat Enterprise Linux Server release 7.1 (Maipo)
> ipa-server-4.1.0-18.el7_1.3.x86_64
> 
> #Client side
> Fedora release 21 (Twenty One)
> * freeipa-client-4.1.4-1.fc21.x86_64
> * sssd-client-1.12.4-3.fc21.x86_64
> 
> 
> Issue:
> User cannot login to their PC 
> 
> Error: /var/log/secure
> Jun 23 17:08:48 johnpc sshd[3591]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=john
> Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john
> Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): received for user
> john: 7 (Authentication failure)
> 
> However:
> 1. Kerberous works;
> kinit john 
> john at johnpc /etc/pam.d> klist
> Ticket cache: KEYRING:persistent:365:365
> Default principal: john at EXAMPLE.EXAMPLEAUS.COM.AU
> 
> Valid starting     Expires            Service principal
> 23/06/15 16:49:30  24/06/15 16:49:28
> krbtgt/EXAMPLE.EXAMPLEAUS.COM.AU at EXAMPLE.EXAMPLEAUS.COM.AU
> 
> 2. LDAP works;
> john at johnpc ~> getent passwd john
> john:x:365:132::/home/john:/bin/bash
> 
> 3. ssh to IPA server works with a password (so not relying on the kerberous
> ticket);
> john at erio ~> ssh john at sysvm-ipa1
> john at sysvm-ipa1's password: 
> Last login: Tue Jun 23 16:50:02 2015 from johnpc.example.exampleaus.com.au
> 
> 
> Any advice would be greatly appreciated? 

I think we need sssd logs here, please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details. We need
at least logs for the PAM responder ([pam] section in sssd.conf) and
the backend ([domain/...] section in sssd.conf).

bye,
Sumit

> 
> Regards,
> 
> Craig
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list