Have you made sure your “elham” user has the correct permissions to access the machines? Take a look in the UI at the groups/permissions that user elham has. Take a look at your HBAC rules as well. That would be my first recommendation to check if it was me.
-Kevin > On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > ### Request for enhancement > as a Linux admin i want to login into my ipa client with a user that is > defined in ipa-server UI. > > ### Issue > I installed Ipa-server and an Ipa-client on CentOS7.6 > I defined Internal DNS on ipa-server and i defined A and PTR records for > client on ipa-server. > now i can see my client in ipa-UI and i defined a user with name "elham" and > i expect that it can login into ipa-client. > when i login with root in ipa-client and i do sudo elham, it works and kinit > elham works too but > when i do ssh into ipa-client with this user, it show "Access denied" > i have errors with this context: > pam_reply : authentication failure to the client > pam_sss: authentication falure > > im tired of this issue. please help me if you know the solution. > > #### Steps to Reproduce > 1. define new user "elham" in ipa UI > 2. SSH to ipa-client with elham > 3. access denied > > #### Actual behavior > (what happens) > > #### Expected behavior > login into ipa-client successfully > > #### Version/Release/Distribution > ipa-server 4.6.5-11.el7 > ipa-client 4.6.4-10.el7.centos.3 > Log files and config files are added below: > > > > krb5.conf > ------------ > #File modified by ipa-client-install > > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > [libdefaults] > default_realm = LSHS.DC > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > allow_weak_crypto = true > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > LSHS.DC = { > kdc = ipa-irvlt01.example.dc:88 > admin_server = ipa-irvlt01.example.dc:749 > default_domain = example.dc > } > [domain_realm] > .example.com = LSHS.DC > example.com = LSHS.DC > ############################################ > > > sssd.conf > ------------- > [domain/example.dc] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = example.dc > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = ipacli-irvlt01.example.dc > chpass_provider = ipa > dyndns_update = True > ipa_server = _srv_, ipa-irvlt01.example.dc > dyndns_iface = ens160 > dns_discovery_domain = example.dc > > debug_level = 10 > [sssd] > ########### AFTER IPA ################### > #services = nss, sudo, pam, ssh > services = nss, pam > config_file_version = 2 > ######################################### > domains = example.dc > > debug_level = 10 > [nss] > homedir_substring = /home > > [pam] > debug_level = 10 > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [secrets] > > [session_recording] > > ########################################## > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org