I even checked working version (IPA clusters) and they don't even have this AllowGroups.
Am I missing something ? 2015-08-01 22:52 GMT+02:00 Janelle <janellenicol...@gmail.com>: > which points to the configuration of sssd.conf and/or nsswitch.conf > It is in there. If you say there are no AllowGroups in sshd, it has to be in > one of those 2 places. > > ~J > > > On 8/1/15 1:26 PM, Matt . wrote: >> >> kinit admin works perfectly, that is such strange. >> >> 2015-08-01 22:15 GMT+02:00 Janelle <janellenicol...@gmail.com>: >>> >>> lastly -- on the master - do you get the same error if you "kinit admin"? >>> ~J >>> >>> >>> On 8/1/15 1:05 PM, Matt . wrote: >>>> >>>> This actually the most important part, and the GSS Failure concerns me: >>>> >>>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>>> debug2: key: /root/.ssh/id_rsa ((nil)), >>>> debug2: key: /root/.ssh/id_dsa ((nil)), >>>> debug2: key: /root/.ssh/id_ecdsa ((nil)), >>>> debug2: key: /root/.ssh/id_ed25519 ((nil)), >>>> debug1: Authentications that can continue: >>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>> debug3: start over, passed a different list >>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>> debug3: preferred >>>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >>>> debug3: authmethod_lookup gssapi-keyex >>>> debug3: remaining preferred: >>>> gssapi-with-mic,publickey,keyboard-interactive,password >>>> debug3: authmethod_is_enabled gssapi-keyex >>>> debug1: Next authentication method: gssapi-keyex >>>> debug1: No valid Key exchange context >>>> debug2: we did not send a packet, disable method >>>> debug3: authmethod_lookup gssapi-with-mic >>>> debug3: remaining preferred: publickey,keyboard-interactive,password >>>> debug3: authmethod_is_enabled gssapi-with-mic >>>> debug1: Next authentication method: gssapi-with-mic >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> No Kerberos credentials available >>>> >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> No Kerberos credentials available >>>> >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> >>>> >>>> debug1: Unspecified GSS failure. Minor code may provide more >>>> information >>>> No Kerberos credentials available >>>> >>>> debug2: we did not send a packet, disable method >>>> debug3: authmethod_lookup publickey >>>> debug3: remaining preferred: keyboard-interactive,password >>>> debug3: authmethod_is_enabled publickey >>>> debug1: Next authentication method: publickey >>>> debug1: Trying private key: /root/.ssh/id_rsa >>>> debug3: no such identity: /root/.ssh/id_rsa: No such file or directory >>>> debug1: Trying private key: /root/.ssh/id_dsa >>>> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory >>>> debug1: Trying private key: /root/.ssh/id_ecdsa >>>> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory >>>> debug1: Trying private key: /root/.ssh/id_ed25519 >>>> debug3: no such identity: /root/.ssh/id_ed25519: No such file or >>>> directory >>>> debug2: we did not send a packet, disable method >>>> debug3: authmethod_lookup password >>>> debug3: remaining preferred: ,password >>>> debug3: authmethod_is_enabled password >>>> debug1: Next authentication method: password >>>> admin@ipa-01.domain.local's password: >>>> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) >>>> debug2: we sent a password packet, wait for reply >>>> debug1: Authentications that can continue: >>>> publickey,gssapi-keyex,gssapi-with-mic,password >>>> Permission denied, please try again. >>>> >>>> 2015-08-01 22:02 GMT+02:00 Janelle <janellenicol...@gmail.com>: >>>>> >>>>> What is in the logs on the machine that is failing? Can you login to >>>>> admin >>>>> from anywhere? Logs are you best friend. >>>>> Also, a simply "ssh -vvv" will help. >>>>> >>>>> ~J >>>>> >>>>> >>>>> On 8/1/15 12:51 PM, Matt . wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> This didn't fix it yet. >>>>>> >>>>>> I wonder if there are any checks I can do as in the very past I was >>>>>> able to do a simple replica without any issues. >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-08-01 21:34 GMT+02:00 Janelle <janellenicol...@gmail.com>: >>>>>>> >>>>>>> Double check you do not have "AllowGroups" set in your >>>>>>> /etc/ssh/sshd_config >>>>>>> file. If you do, add the "admins" group. >>>>>>> >>>>>>> Also, make sure on the master, that the /etc/nsswitch.conf was >>>>>>> properly >>>>>>> updated. Several server installs I have done, have left off the "sss" >>>>>>> for >>>>>>> "passwd", "group" and "shadow". >>>>>>> >>>>>>> passwd: files sss >>>>>>> shadow: files sss >>>>>>> group: files sss >>>>>>> >>>>>>> I bet one of those will fix your problem. Restart sssd and/of sshd if >>>>>>> you >>>>>>> have to make changes. >>>>>>> >>>>>>> ~Janelle >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 8/1/15 10:13 AM, Matt . wrote: >>>>>>>> >>>>>>>> Hi Guys, >>>>>>>> >>>>>>>> I'm doing a replica install there my admin password for the SSH >>>>>>>> check >>>>>>>> to the master is not accepted. >>>>>>>> >>>>>>>> The password is not expired, I can use it on the GUI and even >>>>>>>> changing >>>>>>>> it in the GUI doesn't fix this. >>>>>>>> >>>>>>>> What can I check ? >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project