[Freeipa-users] Cannot login after patching on LXC Container

Nuno Higgs ipa at border.nuneshiggs.com
Tue Feb 14 15:14:28 UTC 2017 

Hello Lucas,

No, the account is neither locked nor expired. That's the weird part. 
On other Centos7 / RHEL7 I can login without any issues.


[root at ipa2 ~]# ipa user-status nuno
-----------------------
Account disabled: False
-----------------------
  Server: ipa1
  Failed logins: 0
  Last successful authentication: 20170214150453Z
  Last failed authentication: 20170213170252Z
  Time now: 2017-02-14T15:06:21Z

  Server: ipa2
  Failed logins: 0
  Last successful authentication: 20170214150047Z
  Last failed authentication: 20170214124638Z
  Time now: 2017-02-14T15:06:23Z
----------------------------
Number of entries returned 2
----------------------------

I've also enabled the sssd. There is no evidence of where the problem is:

(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno at domain.com
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com]
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 68
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'nuno' matched without domain, user is nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [nuno at domain.com]
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [nuno at domain.com@domain.com]
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is nuno at domain.com
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno at domain.com
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][domain.com]
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 25
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!

Also remember that this configuration works perfectly if it is a KVM or a LXC.

Thanks.
Nuno

-----Original Message-----
From: Lukas Slebodnik [mailto:lslebodn at redhat.com] 
Sent: terça-feira, 14 de fevereiro de 2017 14:55
To: Nuno Higgs
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container

On (14/02/17 13:00), Nuno Higgs wrote:
>Hello All,
>
> 
>
>I have a LXC container running Centos7, fully patched that i can't 
>login into in a standard IPA usage configuration:
>
>
>Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied 
>for user nuno 4 (System error)
>
System error means unexpected state for sssd.

I would recommend to follow sssd troubleshooting wiki https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthenticationPasswordChangeandAccessControl


>Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from 
>172.16.0.10 port 54461 ssh2
>
>Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by 
>PAM account configuration [preauth]
>
>Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 
>[preauth]
>
>Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication 
>success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 
>user=nuno
>
>Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired 
>for nuno from 172.16.3.253
>
This error is little bit later but I think it is clear enough.
The account is expired.

LS

More information about the Freeipa-users mailing list