[Freeipa-users] Mostly working trust, SSH failure
Jakub Hrozek
jhrozek at redhat.com
Fri May 20 07:02:00 UTC 2016
On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote:
> Hello,
>
> I've set up a one-way trust to an Active Directory domain. Things
> seem to roughly work, but something's missing.
>
> Can any kind soul spot a problem with my configuration, or advise on
> how to further troubleshoot?
>
> Facts:
>
> - An AD user gets 'Access denied' when SSH'ing by password to the
> FreeIPA host. This is my concern.
>
> - This AD user has not been locked out.
>
> - getent passwd succeeds for the AD user
>
> - A FreeIPA user can successfully SSH by password to the same FreeIPA
> host.
>
> - That FreeIPA user can then successfully kinit as the AD user (the
> same AD user denied above)
>
> - HBAC is set to the default allow_all rule, which is enabled.
> Running the HBAC Test tool on the AD user confirms that they are
> authorized for sshd.
>
> This tells me something is awry in sssd.conf or sshd_config or pam.d
> or HBAC.
>
> Thanks,
> Erik
>
> I've got sssd debug to 9. Here's some output:
>
>
[...]
> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account
> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com
> offline
> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
> [be_mark_subdom_offline] (0x4000): Subdomain already inactive
> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
Here it looks like sssd previously had issues connectying to AD and went
offline. Can you search the logs a bit earlier for the first occurence of
"Marking subdomain xxx as offline" ? Can you kinit as that user?
More information about the Freeipa-users
mailing list