Thanks for any help.
I'm using Debian 13 Trixie within a Proxmox LXC as a FreeIPA client. My
FreeIPA server is run on Fedora 42. My IPA server version is VERSION: 4.12.5,
API_VERSION: 2.254.
I went through setting up freeipa-client on Debian. I have a working Arch
Linux installation as another freeipa client and I compared a lot of the
configuration with krb5.conf and sssd.conf to the working configuration.
After working through the installation if I try to login as a FreeIPA user I
get the following:
$ su jax
Password:
su: Authentication failure
At first glance I thought this immediately as a error related to PAM, however I
checked the PAM modules files and found I have the following:
$grep -R sss /etc/pam.d/
/etc/pam.d/common-session:session optional
pam_sss.so
/etc/pam.d/common-account:account [default=bad success=ok
user_unknown=ignore] pam_sss.so
/etc/pam.d/common-password:password sufficient
pam_sss.so use_authtok
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so
use_first_pass
My arch linux pam.d files were a lot different so I really couldn't compare the
structure.
I've confirmed I get a kerberos ticket issued for my pam user:
$ kinit jax
Password for jax@<DOMAIN>.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jax@<DOMAIN>.COM
Valid starting Expires Service principal
10/19/2025 00:08:10 10/19/2025 23:53:28 krbtgt/[email protected]
I'm not sure where to look as journalctl isn't exactly helpful:
$ sudo journalctl -g pam -b
...
Oct 18 23:46:37 traefik.domain.com su[520]: pam_unix(su:auth): authentication
failure; logname=kevdog uid=1000 euid=0 tty=/dev/pts/3 ruser=kevdog rhost=
user=jax
Oct 18 23:46:37 traefik.domain.com su[520]: pam_sss(su:auth): authentication
failure; logname=kevdog uid=1000 euid=0 tty=/dev/pts/3 ruser=kevdog rhost=
user=jax
Oct 18 23:46:37 traefik.domain.com su[520]: pam_sss(su:auth): received for user
jax: 4 (System error)
For reference my sssd.conf if below:
[domain/domain.com]
id_provider = ipa
ipa_server = ipa.domain.com
ipa_domain = domain.com
ipa_hostname = traefik.domain.com
sudo_provider = ipa
auth_provider = ipa
chpass_provider = ipa
access_provider = permit
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
ldap_schema = ipa
ldap_group_member = member
enumerate = True
default_shell = /usr/bin/bash
use_fully_qualified_names = False
fallback_homedir = /home/%u
[sssd]
services = nss, pam, ssh, sudo
domains = domain.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
