[Freeipa-users] Only one AD user can able to login to IPA server

Tue Mar 17 09:57:27 UTC 2015

HI

i have enabled debug

here is my sssd.conf

[root at kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
[domain/solaris.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = solaris.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kwtpocpbis01.solaris.local
chpass_provider = ipa
ipa_server = kwtpocpbis01.solaris.local
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = solaris.local
debug_level = 6
[nss]
homedir_substring = /home
debug_level = 6

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

LOGS:

sssd.log:

(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
solaris.local
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging sudo
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pac
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service sudo
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service ssh
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service
solaris.local replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pac
replied to ping

error_log:

[root at kwtpocpbis01 ~]# tail -f /var/log/httpd/error_log
[Tue Mar 17 11:26:25.458878 2015] [:error] [pid 15175] ipa: INFO: ***
PROCESS START ***
[Tue Mar 17 11:26:25.603536 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.609112 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.655477 2015] [:error] [pid 15176] ipa: DEBUG: Mounting
ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
[Tue Mar 17 11:26:25.655597 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.681652 2015] [:error] [pid 15176] ipa: DEBUG: Mounting
ipaserver.rpcserver.login_password() at '/session/login_password'
[Tue Mar 17 11:26:25.681849 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.754351 2015] [:error] [pid 15176] ipa: INFO: ***
PROCESS START ***
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
[Tue Mar 17 11:26:28.847563 2015] [:warn] [pid 15377] NSSProtocol:  Unknown
protocol 'tlsv1.2' not supported

secure:
[root at kwtpocpbis01 log]# tail -f secure
Mar 17 12:35:41 kwtpocpbis01 sshd[15714]: subsystem request for sftp by
user root
Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: Accepted password for root from
10.18.2.130 port 64141 ssh2
Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: subsystem request for sftp by
user root
Mar 17 12:39:12 kwtpocpbis01 sshd[14507]: pam_unix(sshd:session): session
closed for user root
Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: Invalid user bobby at infra.com from
10.18.2.130
Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: input_userauth_request: invalid
user bobby at infra.com [preauth]
Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth): check pass;
user unknown
Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.18.2.130
Mar 17 12:41:04 kwtpocpbis01 sshd[15816]: Failed password for invalid user
bobby at infra.com from 10.18.2.130 port 64470 ssh2

Mar 17 12:44:56 kwtpocpbis01 sshd[15840]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.18.2.130  user=ben at infra.com
Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.18.2.130 user=ben at infra.com
Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: Accepted password for
ben at infra.com from 10.18.2.130 port 64782 ssh2
Mar 17 12:44:59 kwtpocpbis01 sshd[15840]: pam_unix(sshd:session): session
opened for user ben at infra.com by (uid=0)

On Tue, Mar 17, 2015 at 12:09 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote:
> > HI List
> >
> > i was following this link :
> > http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
> > to setup IPA server
> >
> > my IPA version is 4.1.2
> >
> > every setps in this tutorials was passed without any error
> >
> > even "*Allow access for users from AD domain to protected resources*"
> > went successfully
> > my current issue is only one user called ben can able to login to ipa
> > server.please check below:
> >
> > [root at kwtpocpbis01 ~]# getent passwd ben at infra.com
> > ben at infra.com:*:531001104:531001104:ben:/home/infra.com/ben:
> > [root at kwtpocpbis01 ~]# getent passwd bobby at infra.com
> > [root at kwtpocpbis01 ~]# getent passwd administrator at infra.com
> > [root at kwtpocpbis01 ~]#
> >
> > the users ben & bobby are on same group (Domain users). but bobby cannot
> > able to login to IPA and not getting any information while querying
> > please help me to fix this issue. i don't know where i need to
> troubleshoot
> > this issue.
>
> Can you increase debug_level in both [nss] and [domain] sections on the
> server and paste the logs here?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150317/ab4360a3/attachment.htm>