(Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'staaj' matched without domain, user is staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user: staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: 50.59.202.7 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 23185 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/company-dev.com/staaj] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:st...@vocal-dev.com] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [company-dev.com][3][1][name=staaj] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb39fd0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:st...@company-dev.com] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0xb39fd0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: B35A10 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: company-dev.com (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user:staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: 50.59.202.7 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 23185 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb41990 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:st...@company-dev.com] only thing i see about selinux is here (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 30 # rpm -qa |grep sssd sssd-client-1.9.2-82.4.el6_4.x86_64 sssd-1.9.2-82.4.el6_4.x86_64 On Wed, Apr 10, 2013 at 2:15 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote: > > Shawn wrote: > > >[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. > --service=sshd > > >-------------------- > > >Access granted: True > > >-------------------- > > > Matched rules: allow_all > > >[root@freeipa ~]# > > > > > > > > >└─> ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com > > ><mailto:myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com> -i > > >/home/user/.ssh/key > > >Connection closed by 54x.x.x.x > > > > > >(client server logs) > > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): > > >Access denied for user myuser: 4 (System error) > > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for > > >user client by PAM account configuration > > > > > > > > >(client ipa versions) > > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > > >ipa-client-3.0.0-26.el6_4.2.x86_64 > > >ipa-python-3.0.0-26.el6_4.2.x86_64 > > > > > > > > >(master ipa versions) > > >[root@freeipa ~]# rpm -qa |grep ipa- > > > > > >ipa-pki-common-theme-9.0.3-7.el6.noarch > > >ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >ipa-client-3.0.0-26.el6_4.2.x86_64 > > >ipa-python-3.0.0-26.el6_4.2.x86_64 > > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > > >ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > > >ipa-server-3.0.0-26.el6_4.2.x86_64 > > >[root@freeipa ~]# > > > > An error is occurring somewhere which is why access is denied. This > > isn't HBAC, that looks like: > > > > pam_sss(sshd:account): Access denied for user admin: 6 (Permission > denied) > > > > You need to crank up debugging in sssd and see what its logs say. > > > > rob > > What SSSD version is there on the client? > > It's possible that it might be a similar issue to one Jan-Frode had with > SELinux. > > Rob is right, please raise the debug_level in the [pam] and [domain] > sections and attach or paste the relevant portions of (sanitized) logs. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- *- Shawn Taaj*
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
