<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <p>Hello,</p> <p>You may need to increase the debug level to 9 and look in the sssd_<ipadomain>.log for failures after the failed login attempt - i would look in between log messages 'Got request for bobt...' and 'Backend returned' messages<br> </p> <p> <a href="https://fedorahosted.org/sssd/wiki/Troubleshooting">https://fedorahosted.org/sssd/wiki/Troubleshooting</a></p> <p>You can also send the debug logs here for review.</p> <p>Make sure logins and lookups are working on the IPA server first before troubleshooting the IPA client.<br> </p> <p>Kind regards,</p> <p>Justin Stephenson<br> </p> <div class="moz-cite-prefix">On 08/09/2016 07:32 PM, Guy Knights wrote:<br> </div> <blockquote cite="mid:CAFtmDk-NDmz4=RGweZz=eqapu0wYBZug9Y=MYep-D-Bdi9B1fA@mail.gmail.com" type="cite"> <div dir="ltr">I've set up a freeipa server on a centos 7 machine and have successfully configured a 2-way trust between it and our active directory domain controller. I've also installed ipa-client on an ubuntu 14.04 machine and have run ipa-client-install, which has apparently successfully joined the FreeIPA domain.<br> <div><br> </div> <div>So far, I can successfully do the following:</div> <div><br> </div> <div>1. Log into the FreeIPA machine with an AD user account.</div> <div>2. Log into the Ubuntu machine with a FreeIPA account.</div> <div>3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have it return the associated FreeIPA user account details (eg. "jackt:*:1131000005:1131000005:Jack Test:/home/<a moz-do-not-send="true" href="http://ipa.bbg.net/jackt:/bin/bash">ipa.bbg.net/jackt:/bin/bash</a>")</div> <div>4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it return the associated AD user account details (eg. "<a class="moz-txt-link-abbreviated" href="mailto:bobt@ad.bbg.net:*:1946801107:1946801107::/home/">bobt@ad.bbg.net:*:1946801107:1946801107::/home/</a><a moz-do-not-send="true" href="http://ad.bbg.net/bobt:/bin/bash">ad.bbg.net/bobt:/bin/bash</a>")</div> <div><br> </div> <div>What I can't do is log into the Ubuntu machine with the AD user. I'm using the following SSH command from the command line on my mac:</div> <div><br> </div> <div>ssh -o User=<a moz-do-not-send="true" href="mailto:bobt@ad.bbg.net">bobt@ad.bbg.net</a> <a moz-do-not-send="true" href="http://vm1.bbg.com">vm1.bbg.com</a></div> <div><br> </div> <div>It asks me for the password, I enter it and it says permissions denied, please try again. I set the debug level in SSSD on the ubuntu client to 5 and this is what shows up in the log during the login attempt:</div> <div><br> </div> (Tue Aug 9 16:25:56 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=bobt]<br> (Tue Aug 9 16:25:56 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed<br> (Tue Aug 9 16:25:57 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [be_get_account_info] (0x0100): Got request for [3][1][name=bobt]<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [be_pam_handler] (0x0100): Got request with the following data<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): domain: <a moz-do-not-send="true" href="http://ad.bbg.net">ad.bbg.net</a><br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): user: <a moz-do-not-send="true" href="mailto:bobt@ad.bbg.net">bobt@ad.bbg.net</a><br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): service: sshd<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): tty: ssh<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): ruser:<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): rhost: 192.168.100.157<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): authtok type: 1<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): newauthtok type: 0<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): priv: 1<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [pam_print_data] (0x0100): cli_pid: 16230<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [krb5_auth_send] (0x0100): No ccache file for user [<a moz-do-not-send="true" href="mailto:bobt@ad.bbg.net">bobt@ad.bbg.net</a>] found.<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [be_resolve_server_process] (0x0200): Found address for server <a moz-do-not-send="true" href="http://dc.ipa.bbg.net">dc.ipa.bbg.net</a>: [192.168.100.14] TTL 3600<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [be_pam_handler_callback] (0x0100): Sending result [4][<a moz-do-not-send="true" href="http://ad.bbg.net">ad.bbg.net</a>]<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [be_pam_handler_callback] (0x0100): Sent result [4][<a moz-do-not-send="true" href="http://ad.bbg.net">ad.bbg.net</a>]<br> (Tue Aug 9 16:27:54 2016) [sssd[be[<a moz-do-not-send="true" href="http://ipa.bbg.net">ipa.bbg.net</a>]]] [child_sig_handler] (0x0100): child [16313] finished successfully. <div><br> </div> <div>Can anyone explain why it's saying account info lookup failed when it can get the account info fine via getent?</div> <div><br> </div> <div>Thanks,</div> <div>Guy</div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> </body> </html>