[Freeipa-users] SSH login to client

Sumit Bose sbose at redhat.com
Thu Jun 9 13:29:03 UTC 2016 

On Thu, Jun 09, 2016 at 08:43:57AM -0400, Pavel Picka wrote:
> 
> 
> ----- Original Message -----
> From: "David Kupka" <dkupka at redhat.com>
> To: "Pavel Picka" <ppicka at redhat.com>, freeipa-users at redhat.com
> Sent: Thursday, June 9, 2016 1:45:26 PM
> Subject: Re: [Freeipa-users] SSH login to client
> 
> On 09/06/16 13:18, Pavel Picka wrote:
> > Hi,
> >
> > Have anyone experience, when create user on ipa-server, and want to login on client with this user I get :
> >
> > Permission denied, please try again.
> > Permission denied, please try again.
> > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
> >
> > (with kinit [1st time change] was password changed to new one)
> > even with another change with ipa user-mod --password I am getting same result
> >
> > and on client in /var/log/messages found :
> >
> > Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> > Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> > Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> > Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> > Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
> > Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
> >
> >
> >
> > --
> > Pavel Picka
> >
> Hi Pavel!
> 
> I have few questions that may help locating the issue:
> 
> Are you able to kinit as the user on server and client?
> - kinit is ok on both
> Are you able to ssh to the client as the admin?
> - no I am not able to use 'admin' to ssh to client
> What is the output of "id user" on client?
> [root at rhel04 ~]# id tuser
> uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser)
> 
> 
> I have noticed I am able ssh when 'kinit user' is active
> 
> For detailed logs here is ssh -vvv
> 
> http://pastebin.test.redhat.com/382140

This makes sense, GSSAPI authentication would be used in this case and
SSSD is not involved in the authentication at all. 

But your paste ends with 'Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password).' Are you sure you
pasted the right test?

> 
> @Sumit
> 
> I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is it done by krb5.conf or else?

Please add 'debug_level=10' to the [domain/....] section of
/etc/sssd/sssd.conf.

bye,
Sumit

> 
> -- 
> David Kupka

More information about the Freeipa-users mailing list