Have you made sure your “elham” user has the correct permissions to access the
machines? Take a look in the UI at the groups/permissions that user elham has.
Take a look at your HBAC rules as well. That would be my first recommendation
to check if it was me.
-Kevin
> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
>
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is
> defined in ipa-server UI.
>
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for
> client on ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham" and
> i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and kinit
> elham works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
>
> im tired of this issue. please help me if you know the solution.
>
> #### Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
>
> #### Actual behavior
> (what happens)
>
> #### Expected behavior
> login into ipa-client successfully
>
> #### Version/Release/Distribution
> ipa-server 4.6.5-11.el7
> ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
>
>
>
> krb5.conf
> ------------
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> ############################################
>
>
> sssd.conf
> -------------
> [domain/example.dc]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
>
> debug_level = 10
> [sssd]
> ########### AFTER IPA ###################
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #########################################
> domains = example.dc
>
> debug_level = 10
> [nss]
> homedir_substring = /home
>
> [pam]
> debug_level = 10
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> ##########################################
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
