<div dir="rtl"><div dir="ltr">What is content of the log when SSSD is doing auth?<br><br></div><div dir="ltr" class="gmail_extra">When i log in with IPA domain client, the output of the log is (anything non standard?):<br> <br>Jan 5 12:08:37 ipaserver sshd[24434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1 user=<a href="mailto:ron@EXAMPLE.COM">ron@EXAMPLE.COM</a><br>Jan 5 12:08:37 ipaserver sshd[24434]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1 user=<a href="mailto:ron@EXAMPLE.COM">ron@EXAMPLE.COM</a><br> Jan 5 12:08:37 ipaserver sshd[24434]: Accepted password for <a href="mailto:ron@EXAMPLE.COM">ron@EXAMPLE.COM</a> from 192.168.227.1 port 57144 ssh2<br>Jan 5 12:08:37 ipaserver sshd[24434]: pam_unix(sshd:session): session opened for user <a href="mailto:ron@EXAMPLE.COM">ron@EXAMPLE.COM</a> by (uid=0)<br> <br><div dir="ltr">Here is the /etc/pam.d/system-auth file : <a href="https://gist.github.com/anonymous/8273507">https://gist.github.com/anonymous/8273507</a><br></div>it does contains pam_sss.so module.<br><br>When i created the the environment, first i installed the IPA server, then joined the IPA clients and finally created the trust.<br> </div><div class="gmail_extra"><br><div class="gmail_quote"><div dir="ltr">2014/1/5 Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span></div><blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div class="im"> On 01/04/2014 06:13 PM, Genadi Postrilko wrote: <blockquote type="cite"> <div dir="rtl"> <div dir="ltr">Output from /var/log/secure:<br> <br> Jan 4 15:03:02 ipaserver sshd[5958]: Invalid user <a href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a> from 192.168.227.1<br> Jan 4 15:03:02 ipaserver sshd[5959]: input_userauth_request: invalid user <a href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a><br> Jan 4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): check pass; user unknown<br> Jan 4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1<br> Jan 4 15:03:06 ipaserver sshd[5958]: pam_succeed_if(sshd:auth): error retrieving information about user <a href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a><br> Jan 4 15:03:08 ipaserver sshd[5958]: Failed password for invalid user <a href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a> from 192.168.227.1 port 53125 ssh2<br> </div> </div> </blockquote> <br></div> I do not see SSSD doing auth.<br> Is pam_sss configured for PAM for SSH?<br> See more details here:<br> <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#installing-host-keys" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#installing-host-keys</a><br> <a href="http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf" target="_blank">http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf</a><br> <br> I do not see simple HowTo to configure SSH to use SSSD for cases when ipa-client-install is not used. May be we should provide one.<br> The expectation is:<br> You install IPA, create trust, join client to IPA using ipa-client-install and it configures everything you need.<br> The order of last two steps can be reversed but the result should be the same.<br> <br> <blockquote type="cite"><div class="im"> <div dir="rtl"> <div dir="ltr"> <br> </div> </div> <div class="gmail_extra"> <div dir="ltr"><br> <br> <div class="gmail_quote">2014/1/3 Genadi Postrilko <span dir="ltr"><<a href="mailto:genadipost@gmail.com" target="_blank">genadipost@gmail.com</a>></span><br> <blockquote class="gmail_quote" style="margin:0px 0.8ex;border-left:1px solid rgb(204,204,204);border-right:1px solid rgb(204,204,204);padding-left:1ex;padding-right:1ex"> <div dir="rtl"> <div dir="ltr">Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log).<br> <br> <a href="https://gist.github.com/anonymous/8242061" target="_blank">https://gist.github.com/anonymous/8242061</a><br> <br> </div> <div dir="ltr">I attempted to log in (as <a href="mailto:Administrator@ADDC.COM" target="_blank">Administrator@ADDC.COM</a>) at 9:04.<br> <br> </div> <div dir="ltr">Thanks for the help.<br> </div> </div> </blockquote> </div> </div> </div> <br> <fieldset></fieldset> <br> </div><div class="im"><pre>_______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </div></blockquote> <br><div class="im"> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </div></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div></div>