date:20191009

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-09 Thread Fraser Tweedale via FreeIPA-users

On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote:
> Seems to happen on both Ubuntu 16.04 and 18.04.
> 
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:Ubuntu 16.04.6 LTS
> Release:16.04
> Codename:   xenial
> 
> $ firefox --version
> Mozilla Firefox 67.0.4
> 
> freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed]
> freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic]
> firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64
> 
> 
> 
> Ubuntu 18.04 machine:
> 
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:Ubuntu 18.04.3 LTS
> Release:18.04
> Codename:   bionic
> 
> freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed]
> freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all
> [installed,automatic]
> firefox/bionic-updates,bionic-security,now
> 69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed]
> 
> Where is the system trust store located? I was going to validate that
> the freeipa ca.crt is added to the system trust store. If its not
> there how do you add the ca.crt to the system trust store?
> 
> Should the ipa-install-client command add the system wide trust store?
> 
Thanks for the details.  I do not know about system trust on Ubuntu.
It could be that ipa-client on Ubuntu does add the IPA CA to system
trust, but the Firefox/Chrome packages ignore the system trust
store.

Hopefully someone more familiar with Ubuntu can clarify.

Cheers,
Fraser

> I'll try this on CentOS tomorrow to see if its just an Ubuntu issue.
> 
> On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale  wrote:
> >
> > On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users 
> > wrote:
> > > Hello,
> > >
> > > I’m wanting to make our https servers use a trusted certificate within 
> > > our LAN only. So for example if I have websrv1.ny.example.com when a user 
> > > uses a machine that’s enrolled into our realm and they visit 
> > > https://websrv1.ny.example.com they shouldn’t be prompted to accept the 
> > > self signed certificate.
> > >
> > > I think I’m pretty close but I’m missing a small part.
> > >
> > > The ipa server is all setup and working. Hosts are enrolled to ipa and 
> > > have the /etc/ipa/ca.crt.
> > >
> > > I have created a service for the http server in IPA. I have obtained a 
> > > .key file and .crt file for my web server. Those keys for the web server 
> > > are in the appropriate location and the web server is pointing at the 
> > > certs correctly.
> > >
> > > On my clients when I go to the web servers URl I am no longer getting a 
> > > “self signed cert” error message in the browser.
> > >
> > > That message has now changed to “unverified certificate authority”. Which 
> > > basically indicates to me that the browser doesn’t know if this 
> > > certificate authority should/can be trusted.
> > >
> > > If i go in the browser (firefox or chrome) in the certificate authority 
> > > section and import the /etc/ipa/ca.crt i get no errors in the browser 
> > > about it being unverified.
> > >
> > > So my question is, what am I missing to make the /etc/ipa/ca.crt file 
> > > globally available for browsers to pick up the certificate automatically?
> > >
> > > when we enroll a host we simply do
> > >
> > > freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir
> > >
> > > Accept the defaults, put in the password to enroll and that’s it. Is 
> > > there something I’m missing?
> > >
> > > -Kevin
> > >
> > Looks like the browser is not using the system trust store.  Please
> > provide full details of operating system and package versions for
> > both freeipa and browser packages.
> >
> > Cheers,
> > Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-09 Thread Kevin Vasko via FreeIPA-users

Seems to happen on both Ubuntu 16.04 and 18.04.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 16.04.6 LTS
Release:16.04
Codename:   xenial

$ firefox --version
Mozilla Firefox 67.0.4

freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed]
freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic]
firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64



Ubuntu 18.04 machine:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 18.04.3 LTS
Release:18.04
Codename:   bionic

freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed]
freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all
[installed,automatic]
firefox/bionic-updates,bionic-security,now
69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed]

Where is the system trust store located? I was going to validate that
the freeipa ca.crt is added to the system trust store. If its not
there how do you add the ca.crt to the system trust store?

Should the ipa-install-client command add the system wide trust store?

I'll try this on CentOS tomorrow to see if its just an Ubuntu issue.

On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale  wrote:
>
> On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote:
> > Hello,
> >
> > I’m wanting to make our https servers use a trusted certificate within our 
> > LAN only. So for example if I have websrv1.ny.example.com when a user uses 
> > a machine that’s enrolled into our realm and they visit 
> > https://websrv1.ny.example.com they shouldn’t be prompted to accept the 
> > self signed certificate.
> >
> > I think I’m pretty close but I’m missing a small part.
> >
> > The ipa server is all setup and working. Hosts are enrolled to ipa and have 
> > the /etc/ipa/ca.crt.
> >
> > I have created a service for the http server in IPA. I have obtained a .key 
> > file and .crt file for my web server. Those keys for the web server are in 
> > the appropriate location and the web server is pointing at the certs 
> > correctly.
> >
> > On my clients when I go to the web servers URl I am no longer getting a 
> > “self signed cert” error message in the browser.
> >
> > That message has now changed to “unverified certificate authority”. Which 
> > basically indicates to me that the browser doesn’t know if this certificate 
> > authority should/can be trusted.
> >
> > If i go in the browser (firefox or chrome) in the certificate authority 
> > section and import the /etc/ipa/ca.crt i get no errors in the browser about 
> > it being unverified.
> >
> > So my question is, what am I missing to make the /etc/ipa/ca.crt file 
> > globally available for browsers to pick up the certificate automatically?
> >
> > when we enroll a host we simply do
> >
> > freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir
> >
> > Accept the defaults, put in the password to enroll and that’s it. Is there 
> > something I’m missing?
> >
> > -Kevin
> >
> Looks like the browser is not using the system trust store.  Please
> provide full details of operating system and package versions for
> both freeipa and browser packages.
>
> Cheers,
> Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-09 Thread Fraser Tweedale via FreeIPA-users

On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote:
> Hello,
> 
> I’m wanting to make our https servers use a trusted certificate within our 
> LAN only. So for example if I have websrv1.ny.example.com when a user uses a 
> machine that’s enrolled into our realm and they visit 
> https://websrv1.ny.example.com they shouldn’t be prompted to accept the self 
> signed certificate.
> 
> I think I’m pretty close but I’m missing a small part.
> 
> The ipa server is all setup and working. Hosts are enrolled to ipa and have 
> the /etc/ipa/ca.crt.
> 
> I have created a service for the http server in IPA. I have obtained a .key 
> file and .crt file for my web server. Those keys for the web server are in 
> the appropriate location and the web server is pointing at the certs 
> correctly.
> 
> On my clients when I go to the web servers URl I am no longer getting a “self 
> signed cert” error message in the browser.
> 
> That message has now changed to “unverified certificate authority”. Which 
> basically indicates to me that the browser doesn’t know if this certificate 
> authority should/can be trusted.
> 
> If i go in the browser (firefox or chrome) in the certificate authority 
> section and import the /etc/ipa/ca.crt i get no errors in the browser about 
> it being unverified. 
> 
> So my question is, what am I missing to make the /etc/ipa/ca.crt file 
> globally available for browsers to pick up the certificate automatically? 
> 
> when we enroll a host we simply do
> 
> freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir 
> 
> Accept the defaults, put in the password to enroll and that’s it. Is there 
> something I’m missing?
> 
> -Kevin
>
Looks like the browser is not using the system trust store.  Please
provide full details of operating system and package versions for
both freeipa and browser packages.

Cheers,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] How to make ipa root certificate available system wide

2019-10-09 Thread Kevin Vasko via FreeIPA-users

Hello,

I’m wanting to make our https servers use a trusted certificate within our LAN 
only. So for example if I have websrv1.ny.example.com when a user uses a 
machine that’s enrolled into our realm and they visit 
https://websrv1.ny.example.com they shouldn’t be prompted to accept the self 
signed certificate.

I think I’m pretty close but I’m missing a small part.

The ipa server is all setup and working. Hosts are enrolled to ipa and have the 
/etc/ipa/ca.crt.

I have created a service for the http server in IPA. I have obtained a .key 
file and .crt file for my web server. Those keys for the web server are in the 
appropriate location and the web server is pointing at the certs correctly.

On my clients when I go to the web servers URl I am no longer getting a “self 
signed cert” error message in the browser.

That message has now changed to “unverified certificate authority”. Which 
basically indicates to me that the browser doesn’t know if this certificate 
authority should/can be trusted.

If i go in the browser (firefox or chrome) in the certificate authority section 
and import the /etc/ipa/ca.crt i get no errors in the browser about it being 
unverified. 

So my question is, what am I missing to make the /etc/ipa/ca.crt file globally 
available for browsers to pick up the certificate automatically? 

when we enroll a host we simply do

freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir 

Accept the defaults, put in the password to enroll and that’s it. Is there 
something I’m missing?

-Kevin
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Categories vs Groups

2019-10-09 Thread Russell Jones via FreeIPA-users

That makes sense. Thank you!

On Wed, Oct 9, 2019 at 1:02 PM Rob Crittenden  wrote:

> Russell Jones via FreeIPA-users wrote:
> > Hi all,
> >
> > I am in the beginning stages of researching moving from NIS to FreeIPA.
> > I am running through the workshop on the FreeIPA github, and am having
> > difficulty understanding the difference between categories and groups.
> >
> > For example, I have one HBAC rule that came pre-defined on my FreeIPA
> > server for "allow_systemd-user" that says it applies for user category
> > and host category of "all". But then the workshop has me add an HBAC
> > rule to allow a user to access a specific host by adding user and host
> > groups, not categories.
> >
> > I'm sure there is a simple difference between the two, but I am not
> > having much luck finding these concepts explained anywhere in the
> > documentation. Can you point me towards where I can find this?
>
> We wanted an easy way to apply rules to all entries of users or hosts.
> We could have just added a special option for that but at the time we
> figured that eventually other use cases like this would pop up so we
> created a category option with just one choice: all. We never did come
> up with another use case.
>
> The alternative would be to create a hostgroup or user group that
> contained all entries and that could become overwhelming. So it is
> basically a shortcut.
>
> rob
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Categories vs Groups

2019-10-09 Thread Rob Crittenden via FreeIPA-users

Russell Jones via FreeIPA-users wrote:
> Hi all,
> 
> I am in the beginning stages of researching moving from NIS to FreeIPA.
> I am running through the workshop on the FreeIPA github, and am having
> difficulty understanding the difference between categories and groups.
> 
> For example, I have one HBAC rule that came pre-defined on my FreeIPA
> server for "allow_systemd-user" that says it applies for user category
> and host category of "all". But then the workshop has me add an HBAC
> rule to allow a user to access a specific host by adding user and host
> groups, not categories.
> 
> I'm sure there is a simple difference between the two, but I am not
> having much luck finding these concepts explained anywhere in the
> documentation. Can you point me towards where I can find this?

We wanted an easy way to apply rules to all entries of users or hosts.
We could have just added a special option for that but at the time we
figured that eventually other use cases like this would pop up so we
created a category option with just one choice: all. We never did come
up with another use case.

The alternative would be to create a hostgroup or user group that
contained all entries and that could become overwhelming. So it is
basically a shortcut.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Categories vs Groups

2019-10-09 Thread Russell Jones via FreeIPA-users

Hi all,

I am in the beginning stages of researching moving from NIS to FreeIPA. I
am running through the workshop on the FreeIPA github, and am having
difficulty understanding the difference between categories and groups.

For example, I have one HBAC rule that came pre-defined on my FreeIPA
server for "allow_systemd-user" that says it applies for user category and
host category of "all". But then the workshop has me add an HBAC rule to
allow a user to access a specific host by adding user and host groups, not
categories.

I'm sure there is a simple difference between the two, but I am not having
much luck finding these concepts explained anywhere in the documentation.
Can you point me towards where I can find this?

Thank you!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to change the timeout of 60 seconds on the login with AD users

2019-10-09 Thread Sumit Bose via FreeIPA-users

On Thu, Oct 03, 2019 at 10:48:40AM +, SOLER SANGUESA Miguel via 
FreeIPA-users wrote:
> Hello,
> 
> After a primary DNS server problem, I have realized that the IDM client has a 
> timeout of 60 s for the log in.
> As the primary DNS was not working, server used the secondary DNS and it 
> takes 4s for resolving any name, as I use AD users, on the authentication 
> phase, all AD servers must be translated (9 servers) so it makes the 
> authentication very slow and timeout of 60 s is triggered. I have modified 
> the resolv.conf to make the transition to the second DNS server faster 
> (resolving any name takes 2s), and then authentication is done on 48s so it 
> works.
> But what I want to know is how to modify those 60s of timeout. I have checked 
> the logs with debug_level = 9 and I don't see the "timeout" log.
> I have also changed (on client side):
> krb5_auth_timeout = 190
> pam_id_timeout = 190
> but it still have the timeout at 60s

Hi,

how do you try to log in?

There is LOGIN_TIMEOUT in /etc/login.defs, see man login.defs for
details.

HTH

bye,
Sumit

> 
> the client is:
> RHEL 6.10 (but I think it happens the same on RHEL 7)
> sssd-client-1.13.3-60.el6_10.2.x86_64
> ipa-client-3.0.0-51.el6.x86_64
> 
> sssd.conf:
> [domain/IPAdomain]
> krb5_auth_timeout = 190
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = IPAdomain
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = CLIENT.domain.org
> chpass_provider = ipa
> ipa_server = _srv_, IPASERVER1, IPASERVER2
> dns_discovery_domain = IPAdomain
> [sssd]
> config_file_version = 2
> services = nss, sudo, pam, ssh
> domains = IPAdomain
> default_domain_suffix = AD.domain
> [nss]
> filter_groups = root
> filter_users = root,iccsecure,tomcat,oracle
> reconnection_retries = 3
> [pam]
> reconnection_retries = 3
> pam_id_timeout = 190
> [sudo]
> [ssh]
> 
> On the Server side:
> RHEL 7.6
> sssd-1.16.2-13.el7_6.8.x86_64
> ipa-server-4.6.4-10.el7_6.3.x86_64
> 
> sssd.conf:
> [domain/IPAdomain]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = IPAdomain
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = IPASERVER1
> chpass_provider = ipa
> ipa_server = IPASERVER1
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> subdomain_homedir = %o
> [sssd]
> config_file_version = 2
> services = nss, sudo, pam, ssh
> domains = IPAdomain
> [domain/IPAdomain/ADdomain]
> ldap_search_base = ou=XXX,dc=,dc=X,dc=XXX
> [nss]
> filter_groups = root
> filter_users = root, iccsecure, tomcat, oracle
> reconnection_retries = 3
> memcache_timeout = 600
> homedir_substring = /home
> [pam]
> reconnection_retries = 3
> [ssh]
> [sudo]
> 
> I have attached the logs, timeout is triggered at 12:21:50
> 
> Thanks & Regards.






> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: /var/lib/sss/pubconf/known_hosts empty

2019-10-09 Thread Vinícius Ferrão via FreeIPA-users

Hello,

On 9 Oct 2019, at 05:59, Jakub Hrozek via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

On Wed, Oct 09, 2019 at 12:25:33AM +, Vinícius Ferrão via FreeIPA-users 
wrote:
Hello,

The /var/lib/sss/pubconf/known_hosts file is empty on a new installed FreeIPA 
server. I’ve already joined a machine to the domain but the file is still empty.

I can’t get it populated, already rebooted and/or restarted sssd without 
success.

Looking on the web I came across this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1574778

It is Fedora related, but it’s the same version that I’m running, since I’m on 
CentOS 7.6.

How can I check if is in fact this bug?

Here are some errors on sssd_ssh with debug_level = 9 enabled:

==> /var/log/sssd/sssd_ssh.log <==
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 
0x55b758c55dc0
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 
0x55b758c56e10
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply 
from Data Provider - DP error code: 3 errno: 22 error message: Invalid argument
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_common_dp_recv] (0x0040): CR 
#2: Data Provider Error: 3, 22, Invalid argument
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_common_dp_recv] (0x0400): CR 
#2: Due to an error we will return cached data
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_search_cache] (0x0400): CR 
#2: Looking up [hpclab01] in cache
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x55b758c62d50

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x55b758c62e10

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Running timer event 
0x55b758c62d50 "ltdb_callback"

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
0x55b758c62e10 "ltdb_timeout"

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Ending timer event 
0x55b758c62d50 "ltdb_callback"

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No 
such host
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_search_cache] (0x0400): CR 
#2: Object [hpclab01] was not found in cache
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_process_result] (0x0400): CR 
#2: Finished: Not found
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x55b758c60990

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x55b758c63960

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Running timer event 
0x55b758c60990 "ltdb_callback"

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
0x55b758c63960 "ltdb_timeout"

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Ending timer event 
0x55b758c60990 "ltdb_callback"

(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No 
such host
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [unique_filename_destructor] (0x2000): 
Unlinking [/var/lib/sss/pubconf/.known_hosts.yfSd2J]
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [unlink_dbg] (0x2000): File already 
removed: [/var/lib/sss/pubconf/.known_hosts.yfSd2J]
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ssh_protocol_done] (0x4000): Sending 
reply: error [2]: No such file or directory
(Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): 
Deleting request: 
[0x55b7572d88e0:hpclab01:hpcla...@cluster.iq.ufrj.br]

==> /var/log/sssd/sssd_cluster.iq.ufrj.br.log <==

Can you also enable debug_level for the domain to see why is sssd_be
replying with Invalid Argument?

It was already on. I followed the instructions on the ticket, so here it is:

==> /var/log/sssd/sssd_cluster.iq.ufrj.br.log <==
(Tue Oct  8 21:10:45 2019) 
[sssd[be[cluster.iq.ufrj.br]]] [sbus_dispatch] 
(0x4000): dbus conn: 0x55b328b4ac90
(Tue Oct  8 21:10:45 2019) 
[sssd[be[cluster.iq.ufrj.br]]] [sbus_dispatch] 
(0x4000): Dispatching.
(Tue Oct  8 21:10:45 2019) 
[sssd[be[cluster.iq.ufrj.br]]] 
[sbus_message_handler] (0x2000): Received SBUS method 
org.freedesktop.sssd.dataprovider.hostHandler on path 
/org/freedesktop/sssd/dataprovider
(Tue Oct  8 21:10:45 2019) 
[sssd[be[cluster.iq.ufrj.br]]] 
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Oct  8 21:10:45 2019) 
[sssd[be[cluster.iq.ufrj.br]]] [dp_attach_req] 
(0x0400): DP Request [HostID #9]: New request. Flags [].
(Tue Oct  8 21:10:45 2019) 
[sssd[be[cluster.iq.ufrj.br]]] [dp_attach_req] 
(0x0400): Number of active DP request: 1
(Tue Oct  8 21:10:45 2019) 
[sssd[be[cluster.iq.ufrj.br]]]

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Rob Crittenden via FreeIPA-users

Kevin Vasko via FreeIPA-users wrote:
> Have you made sure your “elham” user has the correct permissions to access 
> the machines? Take a look in the UI at the groups/permissions that user elham 
> has. Take a look at your HBAC rules as well. That would be my first 
> recommendation to check if it was me. 

Right, and the troubleshooting page suggests that (and increasing debug
logging).

Please provide the output of the things you have already looked at.

rob

> 
> -Kevin
> 
>> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users 
>>  wrote:
>>
>> ### Request for enhancement
>> as a Linux admin i want to login into my ipa client with a user that is 
>> defined in ipa-server UI.
>>
>> ### Issue
>> I installed Ipa-server and an Ipa-client on CentOS7.6
>> I defined Internal DNS on ipa-server and i defined A and PTR records for 
>> client on ipa-server.
>> now i can see my client in ipa-UI and i defined a user with name "elham" and 
>> i expect that it can login into ipa-client.
>> when i login with root in ipa-client and i do sudo elham, it works and kinit 
>> elham works too but
>> when i do ssh into ipa-client with this user, it show "Access denied"
>> i have errors with this context:
>> pam_reply : authentication failure to the client
>> pam_sss: authentication falure
>>
>> im tired of this issue. please help me if you know the solution.
>>
>>  Steps to Reproduce
>> 1. define new user "elham" in ipa UI
>> 2. SSH to ipa-client with elham
>> 3. access denied
>>
>>  Actual behavior
>> (what happens)
>>
>>  Expected behavior
>> login into ipa-client successfully
>>
>>  Version/Release/Distribution
>>   ipa-server 4.6.5-11.el7
>>   ipa-client 4.6.4-10.el7.centos.3
>> Log files and config files are added below:
>>
>>
>>
>> krb5.conf
>> 
>> #File modified by ipa-client-install
>>
>> includedir /etc/krb5.conf.d/
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>> default_realm = LSHS.DC
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> allow_weak_crypto = true
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> LSHS.DC = {
>> kdc = ipa-irvlt01.example.dc:88
>> admin_server = ipa-irvlt01.example.dc:749
>> default_domain = example.dc
>> }
>> [domain_realm]
>> .example.com = LSHS.DC
>> example.com = LSHS.DC
>> 
>>
>>
>> sssd.conf
>> -
>> [domain/example.dc]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = example.dc
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = ipacli-irvlt01.example.dc
>> chpass_provider = ipa
>> dyndns_update = True
>> ipa_server = _srv_, ipa-irvlt01.example.dc
>> dyndns_iface = ens160
>> dns_discovery_domain = example.dc
>>
>> debug_level = 10
>> [sssd]
>> ### AFTER IPA ###
>> #services = nss, sudo, pam, ssh
>> services = nss, pam
>> config_file_version = 2
>> #
>> domains = example.dc
>>
>> debug_level = 10
>> [nss]
>> homedir_substring = /home
>>
>> [pam]
>> debug_level = 10
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> [ifp]
>>
>> [secrets]
>>
>> [session_recording]
>>
>> ##
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Kevin Vasko via FreeIPA-users

Have you made sure your “elham” user has the correct permissions to access the 
machines? Take a look in the UI at the groups/permissions that user elham has. 
Take a look at your HBAC rules as well. That would be my first recommendation 
to check if it was me. 

-Kevin

> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users 
>  wrote:
> 
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is 
> defined in ipa-server UI.
> 
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for 
> client on ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham" and 
> i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and kinit 
> elham works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
> 
> im tired of this issue. please help me if you know the solution.
> 
>  Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
> 
>  Actual behavior
> (what happens)
> 
>  Expected behavior
> login into ipa-client successfully
> 
>  Version/Release/Distribution
>   ipa-server 4.6.5-11.el7
>   ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
> 
> 
> 
> krb5.conf
> 
> #File modified by ipa-client-install
> 
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> 
> 
> 
> sssd.conf
> -
> [domain/example.dc]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
> 
> debug_level = 10
> [sssd]
> ### AFTER IPA ###
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #
> domains = example.dc
> 
> debug_level = 10
> [nss]
> homedir_substring = /home
> 
> [pam]
> debug_level = 10
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [session_recording]
> 
> ##
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Elhamsadat Azarian via FreeIPA-users

I checked it but i couldnt solve it

On Wed, 9 Oct 2019, 12:30 Jakub Hrozek via FreeIPA-users, <
freeipa-users@lists.fedorahosted.org> wrote:

> On Wed, Oct 09, 2019 at 08:45:16AM -, Elhamsadat Azarian via
> FreeIPA-users wrote:
> > ### Request for enhancement
> > as a Linux admin i want to login into my ipa client with a user that is
> defined in ipa-server UI.
> >
> > ### Issue
> > I installed Ipa-server and an Ipa-client on CentOS7.6
> > I defined Internal DNS on ipa-server and i defined A and PTR records for
> client on ipa-server.
> > now i can see my client in ipa-UI and i defined a user with name "elham"
> and i expect that it can login into ipa-client.
> > when i login with root in ipa-client and i do sudo elham, it works and
> kinit elham works too but
> > when i do ssh into ipa-client with this user, it show "Access denied"
> > i have errors with this context:
> > pam_reply : authentication failure to the client
> > pam_sss: authentication falure
> >
> > im tired of this issue. please help me if you know the solution.
>
> Please start here:
> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> >
> >  Steps to Reproduce
> > 1. define new user "elham" in ipa UI
> > 2. SSH to ipa-client with elham
> > 3. access denied
> >
> >  Actual behavior
> > (what happens)
> >
> >  Expected behavior
> > login into ipa-client successfully
> >
> >  Version/Release/Distribution
> >ipa-server 4.6.5-11.el7
> >ipa-client 4.6.4-10.el7.centos.3
> > Log files and config files are added below:
> >
> >
> >
> > krb5.conf
> > 
> > #File modified by ipa-client-install
> >
> > includedir /etc/krb5.conf.d/
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> > [libdefaults]
> > default_realm = LSHS.DC
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > rdns = false
> > ticket_lifetime = 24h
> > forwardable = yes
> > allow_weak_crypto = true
> > default_ccache_name = KEYRING:persistent:%{uid}
> >
> > [realms]
> > LSHS.DC = {
> > kdc = ipa-irvlt01.example.dc:88
> > admin_server = ipa-irvlt01.example.dc:749
> > default_domain = example.dc
> > }
> > [domain_realm]
> > .example.com = LSHS.DC
> > example.com = LSHS.DC
> > 
> >
> >
> > sssd.conf
> > -
> > [domain/example.dc]
> >
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = example.dc
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > ipa_hostname = ipacli-irvlt01.example.dc
> > chpass_provider = ipa
> > dyndns_update = True
> > ipa_server = _srv_, ipa-irvlt01.example.dc
> > dyndns_iface = ens160
> > dns_discovery_domain = example.dc
> >
> > debug_level = 10
> > [sssd]
> > ### AFTER IPA ###
> > #services = nss, sudo, pam, ssh
> > services = nss, pam
> > config_file_version = 2
> > #
> > domains = example.dc
> >
> > debug_level = 10
> > [nss]
> > homedir_substring = /home
> >
> > [pam]
> > debug_level = 10
> >
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> >
> > [pac]
> >
> > [ifp]
> >
> > [secrets]
> >
> > [session_recording]
> >
> > ##
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Jakub Hrozek via FreeIPA-users

On Wed, Oct 09, 2019 at 08:45:16AM -, Elhamsadat Azarian via FreeIPA-users 
wrote:
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is 
> defined in ipa-server UI.
> 
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for 
> client on ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham" and 
> i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and kinit 
> elham works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
> 
> im tired of this issue. please help me if you know the solution.

Please start here:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> 
>  Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
> 
>  Actual behavior
> (what happens)
> 
>  Expected behavior
> login into ipa-client successfully
> 
>  Version/Release/Distribution
>ipa-server 4.6.5-11.el7
>ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
> 
> 
> 
> krb5.conf
> 
> #File modified by ipa-client-install
> 
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> 
> 
> 
> sssd.conf
> -
> [domain/example.dc]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
> 
> debug_level = 10
> [sssd]
> ### AFTER IPA ###
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #
> domains = example.dc
> 
> debug_level = 10
> [nss]
> homedir_substring = /home
> 
> [pam]
> debug_level = 10
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [session_recording]
> 
> ##
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: /var/lib/sss/pubconf/known_hosts empty

2019-10-09 Thread Jakub Hrozek via FreeIPA-users

On Wed, Oct 09, 2019 at 12:25:33AM +, Vinícius Ferrão via FreeIPA-users 
wrote:
> Hello,
> 
> The /var/lib/sss/pubconf/known_hosts file is empty on a new installed FreeIPA 
> server. I’ve already joined a machine to the domain but the file is still 
> empty.
> 
> I can’t get it populated, already rebooted and/or restarted sssd without 
> success.
> 
> Looking on the web I came across this bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1574778
> 
> It is Fedora related, but it’s the same version that I’m running, since I’m 
> on CentOS 7.6.
> 
> How can I check if is in fact this bug?
> 
> Here are some errors on sssd_ssh with debug_level = 9 enabled:
> 
> ==> /var/log/sssd/sssd_ssh.log <==
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 
> 0x55b758c55dc0
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 
> 0x55b758c56e10
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching.
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply 
> from Data Provider - DP error code: 3 errno: 22 error message: Invalid 
> argument
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_common_dp_recv] (0x0040): 
> CR #2: Data Provider Error: 3, 22, Invalid argument
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_common_dp_recv] (0x0400): 
> CR #2: Due to an error we will return cached data
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_search_cache] (0x0400): CR 
> #2: Looking up [hpclab01] in cache
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
> "ltdb_callback": 0x55b758c62d50
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
> "ltdb_timeout": 0x55b758c62e10
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Running timer event 
> 0x55b758c62d50 "ltdb_callback"
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
> 0x55b758c62e10 "ltdb_timeout"
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Ending timer event 
> 0x55b758c62d50 "ltdb_callback"
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No 
> such host
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_search_cache] (0x0400): CR 
> #2: Object [hpclab01] was not found in cache
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [cache_req_process_result] (0x0400): 
> CR #2: Finished: Not found
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
> "ltdb_callback": 0x55b758c60990
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Added timed event 
> "ltdb_timeout": 0x55b758c63960
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Running timer event 
> 0x55b758c60990 "ltdb_callback"
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
> 0x55b758c63960 "ltdb_timeout"
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ldb] (0x4000): Ending timer event 
> 0x55b758c60990 "ltdb_callback"
> 
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No 
> such host
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [unique_filename_destructor] (0x2000): 
> Unlinking [/var/lib/sss/pubconf/.known_hosts.yfSd2J]
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [unlink_dbg] (0x2000): File already 
> removed: [/var/lib/sss/pubconf/.known_hosts.yfSd2J]
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [ssh_protocol_done] (0x4000): Sending 
> reply: error [2]: No such file or directory
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): 
> Deleting request: 
> [0x55b7572d88e0:hpclab01:hpcla...@cluster.iq.ufrj.br]
> 
> ==> /var/log/sssd/sssd_cluster.iq.ufrj.br.log <==

Can you also enable debug_level for the domain to see why is sssd_be
replying with Invalid Argument?

> 
> ==> /var/log/sssd/sssd_ssh.log <==
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [client_recv] (0x0200): Client 
> disconnected!
> (Tue Oct  8 21:10:37 2019) [sssd[ssh]] [client_close_fn] (0x2000): Terminated 
> client [0x55b758c4f940][18]
> 
> 
> 
> 
> Installed versions:
> 
> [root@headnode ~]# rpm -qa | grep -i sssd
> sssd-client-1.16.4-21.el7.x86_64
> sssd-ldap-1.16.4-21.el7.x86_64
> sssd-common-pac-1.16.4-21.el7.x86_64
> sssd-dbus-1.16.4-21.el7.x86_64
> sssd-ipa-1.16.4-21.el7.x86_64
> sssd-proxy-1.16.4-21.el7.x86_64
> sssd-common-1.16.4-21.el7.x86_64
> sssd-ad-1.16.4-21.el7.x86_64
> python-sssdconfig-1.16.4-21.el7.noarch
> sssd-krb5-common-1.16.4-21.el7.x86_64
> sssd-1.16.4-21.el7.x86_64
> sssd-krb5-1.16.4-21.el7.x86_64
> 
> 
> Thanks,
> 
> 

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
>

[Freeipa-users] Ipa user can't login via ssh

2019-10-09 Thread Elhamsadat Azarian via FreeIPA-users

### Request for enhancement
as a Linux admin i want to login into my ipa client with a user that is defined 
in ipa-server UI.

### Issue
I installed Ipa-server and an Ipa-client on CentOS7.6
I defined Internal DNS on ipa-server and i defined A and PTR records for client 
on ipa-server.
now i can see my client in ipa-UI and i defined a user with name "elham" and i 
expect that it can login into ipa-client.
when i login with root in ipa-client and i do sudo elham, it works and kinit 
elham works too but
when i do ssh into ipa-client with this user, it show "Access denied"
i have errors with this context:
pam_reply : authentication failure to the client
pam_sss: authentication falure

im tired of this issue. please help me if you know the solution.

 Steps to Reproduce
1. define new user "elham" in ipa UI
2. SSH to ipa-client with elham
3. access denied

 Actual behavior
(what happens)

 Expected behavior
login into ipa-client successfully

 Version/Release/Distribution
   ipa-server 4.6.5-11.el7
   ipa-client 4.6.4-10.el7.centos.3
Log files and config files are added below:



krb5.conf

#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LSHS.DC
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
LSHS.DC = {
kdc = ipa-irvlt01.example.dc:88
admin_server = ipa-irvlt01.example.dc:749
default_domain = example.dc
}
[domain_realm]
.example.com = LSHS.DC
example.com = LSHS.DC



sssd.conf
-
[domain/example.dc]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.dc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipacli-irvlt01.example.dc
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa-irvlt01.example.dc
dyndns_iface = ens160
dns_discovery_domain = example.dc

debug_level = 10
[sssd]
### AFTER IPA ###
#services = nss, sudo, pam, ssh
services = nss, pam
config_file_version = 2
#
domains = example.dc

debug_level = 10
[nss]
homedir_substring = /home

[pam]
debug_level = 10

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

##


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to make ipa root certificate available system wide

[Freeipa-users] Re: How to make ipa root certificate available system wide

[Freeipa-users] Re: How to make ipa root certificate available system wide

[Freeipa-users] How to make ipa root certificate available system wide

[Freeipa-users] Re: Categories vs Groups

[Freeipa-users] Re: Categories vs Groups

[Freeipa-users] Categories vs Groups

[Freeipa-users] Re: How to change the timeout of 60 seconds on the login with AD users

[Freeipa-users] Re: /var/lib/sss/pubconf/known_hosts empty

[Freeipa-users] Re: Ipa user can't login via ssh

[Freeipa-users] Re: Ipa user can't login via ssh

[Freeipa-users] Re: Ipa user can't login via ssh

[Freeipa-users] Re: Ipa user can't login via ssh

[Freeipa-users] Re: /var/lib/sss/pubconf/known_hosts empty

[Freeipa-users] Ipa user can't login via ssh

15 matches

Site Navigation

Mail list logo

Footer information