[Freeipa-users] SSH login to client
Sumit Bose
sbose at redhat.com
Thu Jun 9 13:29:03 UTC 2016
On Thu, Jun 09, 2016 at 08:43:57AM -0400, Pavel Picka wrote:
>
>
> ----- Original Message -----
> From: "David Kupka" <dkupka at redhat.com>
> To: "Pavel Picka" <ppicka at redhat.com>, freeipa-users at redhat.com
> Sent: Thursday, June 9, 2016 1:45:26 PM
> Subject: Re: [Freeipa-users] SSH login to client
>
> On 09/06/16 13:18, Pavel Picka wrote:
> > Hi,
> >
> > Have anyone experience, when create user on ipa-server, and want to login on client with this user I get :
> >
> > Permission denied, please try again.
> > Permission denied, please try again.
> > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
> >
> > (with kinit [1st time change] was password changed to new one)
> > even with another change with ipa user-mod --password I am getting same result
> >
> > and on client in /var/log/messages found :
> >
> > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed
> > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed
> > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
> > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed
> >
> >
> >
> > --
> > Pavel Picka
> >
> Hi Pavel!
>
> I have few questions that may help locating the issue:
>
> Are you able to kinit as the user on server and client?
> - kinit is ok on both
> Are you able to ssh to the client as the admin?
> - no I am not able to use 'admin' to ssh to client
> What is the output of "id user" on client?
> [root at rhel04 ~]# id tuser
> uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser)
>
>
> I have noticed I am able ssh when 'kinit user' is active
>
> For detailed logs here is ssh -vvv
>
> http://pastebin.test.redhat.com/382140
This makes sense, GSSAPI authentication would be used in this case and
SSSD is not involved in the authentication at all.
But your paste ends with 'Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password).' Are you sure you
pasted the right test?
>
> @Sumit
>
> I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is it done by krb5.conf or else?
Please add 'debug_level=10' to the [domain/....] section of
/etc/sssd/sssd.conf.
bye,
Sumit
>
> --
> David Kupka
More information about the Freeipa-users
mailing list