[Freeipa-users] SSH login to client

Lukas Slebodnik lslebodn at redhat.com
Thu Jun 9 12:59:46 UTC 2016 

On (09/06/16 08:43), Pavel Picka wrote:
>
>
>----- Original Message -----
>From: "David Kupka" <dkupka at redhat.com>
>To: "Pavel Picka" <ppicka at redhat.com>, freeipa-users at redhat.com
>Sent: Thursday, June 9, 2016 1:45:26 PM
>Subject: Re: [Freeipa-users] SSH login to client
>
>On 09/06/16 13:18, Pavel Picka wrote:
>> Hi,
>>
>> Have anyone experience, when create user on ipa-server, and want to login on client with this user I get :
>>
>> Permission denied, please try again.
>> Permission denied, please try again.
>> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
>>
>> (with kinit [1st time change] was password changed to new one)
>> even with another change with ipa user-mod --password I am getting same result
>>
>> and on client in /var/log/messages found :
>>
>> Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
>> Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
>> Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
>> Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
>> Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
>> Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
>>
>>
>>
>> --
>> Pavel Picka
>>
>Hi Pavel!
>
>I have few questions that may help locating the issue:
>
>Are you able to kinit as the user on server and client?
>- kinit is ok on both
>Are you able to ssh to the client as the admin?
>- no I am not able to use 'admin' to ssh to client
>What is the output of "id user" on client?
>[root at rhel04 ~]# id tuser
>uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser)
>
>
>I have noticed I am able ssh when 'kinit user' is active
>
>For detailed logs here is ssh -vvv
>
>http://pastebin.test.redhat.com/382140
>
>@Sumit
>
>I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is it done by krb5.conf or else?
/ets/sssd/sssd.conf and domian section.

You might find useful following wiki.
https://fedorahosted.org/sssd/wiki/Troubleshooting

LS

More information about the Freeipa-users mailing list