[Freeipa-users] freeipa permission denied for user
Martin Kosek
mkosek at redhat.com
Thu Feb 18 13:22:39 UTC 2016
On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote:
> I set up freeipa on our environment and its works perfectly for most of the
> hosts.. but on few I am getting a permission denied.
>
> [root at ipa-client-1c :~] ssh tempuser at localhost
> tempuser at localhost's password:
> Permission denied, please try again.
> tempuser at localhost's password:
>
>
>
>
> I checked the hbac, but that seems to be fine
>
> root at ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x
> --service=sshd
> --------------------
> Access granted: True
> --------------------
> Matched rules: allow_all
>
>
> Another thing I noticed is the nsswitch.conf had the below entries after
> the freeipa installation
> passwd: files sss ldap
> shadow: files sss ldap
> group: files sss ldap
>
> hosts: files dns
>
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: files sss ldap
>
> publickey: nisplus
>
> automount: files ldap
> aliases: files nisplus
>
> sudoers: files sss
>
>
> The ldap shouldn't be there above I guess..
>
> and from the logs, i have the below errors
>
> ==> /var/log/secure <==
> Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
> Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
> Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for
> user tempuser: 4 (System error)
> Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from
> x.x.x.x port 36687 ssh2
> Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x
> Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser
> Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser
> Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for
> user tempuser: 4 (System error)
> Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from
> 127.0.0.1 port 59870 ssh2
>
>
> ==> /var/log/messages <==
> Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down
> Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed
> : Input/output error
> Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed
> : Input/output error
> Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
> Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
Could it be caused by /etc/krb5.conf permissions as here:
https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html
?
Some advise is also here:
http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc
Martin
More information about the Freeipa-users
mailing list