On Mon, Jan 09, 2017 at 09:48:50AM +0100, rajat gupta wrote: > few user are able to login. ipa ad-trust setup. > > ========================== > Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking > getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed - > POSSIBLE BREAK-IN ATTEMPT! > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: Invalid user et33015 from x.x.x.x > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: input_userauth_request: invalid > user et33015 [preauth] > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: error: PAM: User not known to > the underlying authentication module for illegal user et33015 from x.x.x.x > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: Failed keyboard-interactive/pam > for invalid user et33015 from x.x.x.x port 51270 ssh2 > Jan 6 10:48:56 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user > et33015 from 146.213.128.135 port 51270 ssh2 > Jan 6 10:49:00 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user > et33015 from 146.213.128.135 port 51270 ssh2 > Jan 6 10:49:02 ilt-gif-ipa02 sshd[22490]: Failed password for invalid user > et33015 from 146.213.128.135 port 51270 ssh2 > Jan 6 10:49:32 ilt-gif-ipa02 sshd[22490]: Connection closed by x.x.x.x > [preauth] > ============================ > > ==================== > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > [get_server_status] (0x1000): Status of server > 'ilt-gif-ipa01.ipa.preprod.local' is 'working' > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [get_port_status] > (0x1000): Port status of port 0 for server 'ilt-gif-ipa01.ipa.preprod.local' > is 'not working' > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > [be_resolve_server_done] (0x1000): Server resolution failed: [5]: > Input/output error > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 > [Input/output error]) > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline] > (0x2000): Going offline! > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline] > (0x2000): Initialize check_if_online_ptask. > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_ptask_create] > (0x0400): Periodic task [Check if online (periodic)] was created > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling > task 72 seconds from now [1483696200] > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > [be_run_offline_cb] (0x0080): Going offline. Running callbacks
more data form the domain log is needed here, because it is not clear if the system went offline before or after processing the request and why the port is marked as not working. Please include the log data up to 5 minutes before as well. bye, Sumit > > ================= > > cat /etc/sssd/sssd.conf > [domain/ipa.preprod.local] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ipa.preprod.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ilt-gif-ipa02.ipa.preprod.local > chpass_provider = ipa > ipa_server = _srv_, ilt-gif-ipa01.ipa.preprod.local > ldap_tls_cacert = /etc/ipa/ca.crt > debug_level = 9 > > > [sssd] > default_domain_suffix = corp.corpcommon.com > services = nss, sudo, pam, ssh > debug_level = 9 > > > domains = ipa.preprod.local > [nss] > override_homedir = /home/%u > debug_level = 9 > > > > [pam] > debug_level = 9 > > > [sudo] > > [autofs] > > [ssh] > debug_level = 9 > > > [pac] > > [ifp] > =============== > > i am able to getent and kinit for all of the AD user. but most of the user > are not able to login via ssh /ad-password > > getent passwd et33015 > et33...@corp.corpcommon.com:*:1007629326:1007629326:Th Sub:/home/et33015: > > and > > kinit et33...@corp.corpcommon.com <http://corp.corpcommon.com/> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project