[Freeipa-users] freeipa permission denied for user

Thu Feb 18 13:22:39 UTC 2016

On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote:
> I set up freeipa on our environment and its works perfectly for most of the
> hosts.. but on few I am getting a permission denied.
> 
> [root at ipa-client-1c :~] ssh tempuser at localhost
> tempuser at localhost's password:
> Permission denied, please try again.
> tempuser at localhost's password:
> 
> 
> 
> 
> I checked the hbac, but that seems to be fine
> 
> root at ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x
> --service=sshd
> --------------------
> Access granted: True
> --------------------
>   Matched rules: allow_all
> 
> 
> Another thing I noticed is the nsswitch.conf had the below entries after
> the freeipa installation
> passwd:     files sss ldap
> shadow:     files sss ldap
> group:      files sss ldap
> 
> hosts:      files dns
> 
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> 
> netgroup:   files sss ldap
> 
> publickey:  nisplus
> 
> automount:  files ldap
> aliases:    files nisplus
> 
> sudoers: files sss
> 
> 
> The ldap shouldn't be there above I guess..
> 
> and from the logs, i have the below errors
> 
> ==> /var/log/secure <==
> Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=tempuser
> Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
> Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for
> user tempuser: 4 (System error)
> Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from
> x.x.x.x port 36687 ssh2
> Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x
> Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=tempuser
> Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser
> Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for
> user tempuser: 4 (System error)
> Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from
> 127.0.0.1 port 59870 ssh2
> 
> 
> ==> /var/log/messages <==
> Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down
> Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up
> Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed
> : Input/output error
> Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed
> : Input/output error
> Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
> Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied

Could it be caused by /etc/krb5.conf permissions as here:
https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html
?

Some advise is also here:
http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc

Martin