On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote: > I set up freeipa on our environment and its works perfectly for most of the > hosts.. but on few I am getting a permission denied. > > [root@ipa-client-1c :~] ssh tempuser@localhost > tempuser@localhost's password: > Permission denied, please try again. > tempuser@localhost's password: > > > > > I checked the hbac, but that seems to be fine > > root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x > --service=sshd > -------------------- > Access granted: True > -------------------- > Matched rules: allow_all > > > Another thing I noticed is the nsswitch.conf had the below entries after > the freeipa installation > passwd: files sss ldap > shadow: files sss ldap > group: files sss ldap > > hosts: files dns > > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: files sss ldap > > publickey: nisplus > > automount: files ldap > aliases: files nisplus > > sudoers: files sss > > > The ldap shouldn't be there above I guess.. > > and from the logs, i have the below errors > > ==> /var/log/secure <== > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for > user tempuser: 4 (System error) > Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from > x.x.x.x port 36687 ssh2 > Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for > user tempuser: 4 (System error) > Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from > 127.0.0.1 port 59870 ssh2 > > > ==> /var/log/messages <== > Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down > Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed > : Input/output error > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed > : Input/output error > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied
Could it be caused by /etc/krb5.conf permissions as here: https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html ? Some advise is also here: http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
