[Freeipa-users] ipa user login access denied

Rob Crittenden rcritten at redhat.com
Wed Mar 16 18:13:18 UTC 2016 

Armstrong, Jeffrey wrote:
> Hi
>
> I’m unable to login via ssh to an ipa client or server as the admin user
> or a new user.  This a new installation of the ipa server and clients.
>
> I’ve saved some of the error messages:
>
> I created a test user (tuser).  I was able to su – tuser successfully.
> I was not able to ssh to the master ipa server or any of the clients.
>
> Below I have some information from the sssd log, the command ipa
> hbactest, and the secure log.
>
> If you need any other info please let me know.
>
> Thanks
>
> Jeff
>
> sssd_<domainname>.log
>
> **
>
> sh tuser at pcs1dc01
>
> Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Set
> /proc/self/oom_score_adj to 0
>
> Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Connection from
> 10.109.4.20 port 60969
>
> Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Failed publickey for
> tuser from 10.109.4.20 port 60969 ssh2
>
> Password: Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30793]: Postponed
> keyboard-interactive for tuser from 10.109.4.20 port 60969 ssh2
>
> Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=10.109.4.20  user=tuser
>
> Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30795]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.109.4.20 user=tuser
>
> Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]:
> pam_sss(sshd:account): Access denied for user tuser: 6 (Permission denied)
>
> Mar 16 12:40:57 pcs1dc01 authpriv.err sshd[30792]: error: PAM: User
> account has expired for tuser from 10.109.4.20
>
> Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30792]: Failed
> keyboard-interactive/pam for tuser from 10.109.4.20 port 60969 ssh2
>
> Received disconnect from UNKNOWN: 2: Too many authentication failures
> for tuser
>
> Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30793]: Disconnecting: Too
> many authentication failures for tuse
>
> **
>
> *Command:* ipa hbactest
>
> User name: tuser
>
> Target host: <server>
>
> Service: ssh
>
> ---------------------
>
> Access granted: False
>
> ---------------------
>
>    Not matched rules: GUI_ACCESS
>
>    Not matched rules: SSH_ACCESS

There is your answer right there. Add tuser to the appropriate rule.

And as of the last login attempt the user is logged out due to too many 
failed attempts. Lockout duration default is 5 minutes IIRC.

rob

>
> *Secure log*
>
> Mar 16 12:29:55  authpriv.notice sshd[30697]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> <ip-address> user=tuser
>
> Mar 16 12:29:56  authpriv.info sshd[30697]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=<ip-address> user=tuser
>
> Mar 16 12:29:56  authpriv.notice sshd[30697]: pam_sss(sshd:account):
> Access denied for user tuser: 6 (Permission denied)
>
> Mar 16 12:29:56  authpriv.err sshd[30694]: error: PAM: User account has
> expired for tuser from 10.109.4.20
>
> Mar 16 12:29:56  authpriv.info sshd[30694]: Failed
> keyboard-interactive/pam for tuser from <ipaddress> port 60942 ssh2
>
> Received disconnect from UNKNOWN: 2: Too many authentication failures
> for tuser
>
> Mar 16 12:29:56 authpriv.info sshd[30695]: Disconnecting: Too many
> authentication failures for tuser
>
>
>

More information about the Freeipa-users mailing list