On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote: > Shawn wrote: > >[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd > >-------------------- > >Access granted: True > >-------------------- > > Matched rules: allow_all > >[root@freeipa ~]# > > > > > >└─> ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com > ><mailto:myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com> -i > >/home/user/.ssh/key > >Connection closed by 54x.x.x.x > > > >(client server logs) > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): > >Access denied for user myuser: 4 (System error) > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for > >user client by PAM account configuration > > > > > >(client ipa versions) > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > >ipa-client-3.0.0-26.el6_4.2.x86_64 > >ipa-python-3.0.0-26.el6_4.2.x86_64 > > > > > >(master ipa versions) > >[root@freeipa ~]# rpm -qa |grep ipa- > > > >ipa-pki-common-theme-9.0.3-7.el6.noarch > >ipa-pki-ca-theme-9.0.3-7.el6.noarch > >ipa-client-3.0.0-26.el6_4.2.x86_64 > >ipa-python-3.0.0-26.el6_4.2.x86_64 > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > >ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > >ipa-server-3.0.0-26.el6_4.2.x86_64 > >[root@freeipa ~]# > > An error is occurring somewhere which is why access is denied. This > isn't HBAC, that looks like: > > pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied) > > You need to crank up debugging in sssd and see what its logs say. > > rob
What SSSD version is there on the client? It's possible that it might be a similar issue to one Jan-Frode had with SELinux. Rob is right, please raise the debug_level in the [pam] and [domain] sections and attach or paste the relevant portions of (sanitized) logs. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
