Hi Kev, do you have the complete contents of /etc/pam.d/su and etc/pam.d/common-auth for us? I'm also running trixie, and everything seems to be working for me so far.
Peter ________________________________________ From: kev dog via FreeIPA-users <[email protected]> Sent: Sunday, 19 October 2025 07:32 To: [email protected] Cc: kev dog Subject: [Freeipa-users] Authentication failure using FreeIPA with Debian13 Thanks for any help. I'm using Debian 13 Trixie within a Proxmox LXC as a FreeIPA client. My FreeIPA server is run on Fedora 42. My IPA server version is VERSION: 4.12.5, API_VERSION: 2.254. I went through setting up freeipa-client on Debian. I have a working Arch Linux installation as another freeipa client and I compared a lot of the configuration with krb5.conf and sssd.conf to the working configuration. After working through the installation if I try to login as a FreeIPA user I get the following: $ su jax Password: su: Authentication failure At first glance I thought this immediately as a error related to PAM, however I checked the PAM modules files and found I have the following: $grep -R sss /etc/pam.d/ /etc/pam.d/common-session:session optional pam_sss.so /etc/pam.d/common-account:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/common-password:password sufficient pam_sss.so use_authtok /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass My arch linux pam.d files were a lot different so I really couldn't compare the structure. I've confirmed I get a kerberos ticket issued for my pam user: $ kinit jax Password for jax@<DOMAIN>.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jax@<DOMAIN>.COM Valid starting Expires Service principal 10/19/2025 00:08:10 10/19/2025 23:53:28 krbtgt/[email protected] I'm not sure where to look as journalctl isn't exactly helpful: $ sudo journalctl -g pam -b ... Oct 18 23:46:37 traefik.domain.com su[520]: pam_unix(su:auth): authentication failure; logname=kevdog uid=1000 euid=0 tty=/dev/pts/3 ruser=kevdog rhost= user=jax Oct 18 23:46:37 traefik.domain.com su[520]: pam_sss(su:auth): authentication failure; logname=kevdog uid=1000 euid=0 tty=/dev/pts/3 ruser=kevdog rhost= user=jax Oct 18 23:46:37 traefik.domain.com su[520]: pam_sss(su:auth): received for user jax: 4 (System error) For reference my sssd.conf if below: [domain/domain.com] id_provider = ipa ipa_server = ipa.domain.com ipa_domain = domain.com ipa_hostname = traefik.domain.com sudo_provider = ipa auth_provider = ipa chpass_provider = ipa access_provider = permit cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True ldap_schema = ipa ldap_group_member = member enumerate = True default_shell = /usr/bin/bash use_fully_qualified_names = False fallback_homedir = /home/%u [sssd] services = nss, pam, ssh, sudo domains = domain.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [session_recording] -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
