[Freeipa-users] SSH login to client
Jakub Hrozek
jhrozek at redhat.com
Thu Jun 9 11:40:53 UTC 2016
On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote:
> Hi,
>
> Have anyone experience, when create user on ipa-server, and want to login on client with this user I get :
>
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
>
> (with kinit [1st time change] was password changed to new one)
> even with another change with ipa user-mod --password I am getting same result
>
> and on client in /var/log/messages found :
>
> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
This normally means wrong password. Does this happen only with the
initial expired password or even after you reset the password and kinit?
Can you send more verbose krb5_child.log?
More information about the Freeipa-users
mailing list