[Freeipa-users] SSH login to client
Sumit Bose
sbose at redhat.com
Thu Jun 9 11:42:32 UTC 2016
On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote:
> Hi,
>
> Have anyone experience, when create user on ipa-server, and want to login on client with this user I get :
>
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
>
> (with kinit [1st time change] was password changed to new one)
> even with another change with ipa user-mod --password I am getting same result
>
> and on client in /var/log/messages found :
>
> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
Can you send the full debug_level=10 content of krb5_child.log for a
single attempt (same pid in [sssd[krb5_child[xxxx]]]. The error might
not be related to the user password but e.g. to an old keytab and
krb5_child fails to establish the FAST tunnel.
bye,
Sumit
>
>
>
> --
> Pavel Picka
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list