<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 01/02/2014 04:45 PM, Genadi Postrilko wrote: <blockquote cite="mid:CAPP+0vL6qMDHmP9DWw_k7Gz8QpqGm-6ZyNEHne_gGdnrSmwAxA@mail.gmail.com" type="cite"> <div dir="rtl"> <div dir="ltr">Its a newly installed IPA Server, haven't added any Rules.<br> </div> <div dir="ltr"><br> </div> <div dir="ltr">The relevant output from /var/log/secure :<br> <br> Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100<br> Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user<br> Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100<br> Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM">Administrator@ADDC.COM</a> from 192.168.227.100<br> Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM">Administrator@ADDC.COM</a><br> Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown<br> Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100<br> Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM">Administrator@ADDC.COM</a><br> Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM">Administrator@ADDC.COM</a> from 192.168.227.100 port 62484 ssh2<br> <br> </div> </div> <div class="gmail_extra"><br> <br> <div class="gmail_quote"> <div dir="ltr">2014/1/2 Rob Crittenden <span dir="ltr"><<a moz-do-not-send="true" href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span></div> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Genadi Postrilko wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="im"> Hi all.<br> <br> I have a running IPA Server (3.0.0-37) on RHEL 6.2.<br> I'm trying to create Trust between IPA server and AD (In different DNS<br> domains). I followed the red hat guide<br> <a moz-do-not-send="true" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf</a>.<br> <br> When i completed the needed step to create the trust and retrieved a krb<br> ticket from the AD server:<br> <br> [root@ipaserver ~]# kinit <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a><br> </div> <mailto:<a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a>><br> Password for <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a> <mailto:<a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a>>: <div class="im"><br> [root@ipaserver ~]# klist<br> Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a><br> </div> Default principal: <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a> <mailto:<a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a>> <div class="im"> <br> <br> Valid starting Expires Service principal<br> 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/<a moz-do-not-send="true" href="mailto:ADDC.COM@ADDC.COM" target="_blank">ADDC.COM@ADDC.COM</a><br> </div> <mailto:<a moz-do-not-send="true" href="mailto:ADDC.COM@ADDC.COM" target="_blank">ADDC.COM@ADDC.COM</a>> <div class="im"><br> renew until 01/03/14 12:20:30<br> <br> But when i try to connect to the IPA server via SHH (Putty) i get<br> "Access denied" message:<br> <br> </div> login as: <a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a> <mailto:<a moz-do-not-send="true" href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a>><br> <a class="moz-txt-link-abbreviated" href="mailto:Administrator@ADDC.COM@">Administrator@ADDC.COM@</a><a moz-do-not-send="true" href="http://192.168.227.128" target="_blank">192.168.227.128</a> <<a moz-do-not-send="true" href="http://192.168.227.128" target="_blank">http://192.168.227.128</a>>'s password: <div class="im"><br> Access denied<br> <br> Any ideas on what i could have done wrong in the process of creating the<br> trust?<br> </div> </blockquote> <br> I'd check the sssd logs and /var/log/secure.<br> <br> Do you have any HBAC rules?<span class="HOEnZb"><font color="#888888"><br> <br> rob<br> </font></span></blockquote> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> Looks an error similar to what I see in the other thread.<br> Unfortunately be might need to wait till Monday for Alexander, Sumit and Jakub to come back and provide help.<br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>