Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts
On Sun, Jun 2, 2013 at 9:49 PM, Ryan Cunningham ryan.cunningham.xy...@gmail.com wrote: Hello, I've been evaluating FreeIPA in a lab environment prior to possibly rolling it out in our enterprise but have been having issues with a few hosts rejecting SSH logins for users authenticated against the FreeIPA server via SSSD. All systems are running CentOS 6.4 with FreeIPA client/server 3.0.0 installed from the base repo. The default RBAC rule to allow all users access to all hosts is in effect, the only Kerberos/LDAP/SSSD/PAM configuration changes that have been made on client machines (apart from enabling debug logging) were done with `ipa-client-install --mkhomedir`. I enabled debug logging for SSSD and have included relevant bits from the log files here: https://gist.github.com/arg0sy/5694537 What I see is: fatal: Access denied for user admin by PAM account configuration I would compare the pam.d dir on systems where you can login to the one on systems you cannot log in to. What about disabling selinux? Anything strange on audit.log? Maybe the context of the homedir is not correct. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts
What I see is: fatal: Access denied for user admin by PAM account configuration What about disabling selinux? Whoops, I probably should have caught these myself. Disabling SELinux fixed one of the hosts. I didn't even look at it because I believed that I had disabled it previously. The other problem host didn't have SELinux enabled but was missing the /etc/selinux/targeted directory structure and was dropping an error: [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/adminnik1F1(Sun Jun 2 18:01:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 25 Everything's working fine now -- thanks for looking at those logs. Best regards, Ryan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts
On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham ryan.cunningham.xy...@gmail.com wrote: What I see is: fatal: Access denied for user admin by PAM account configuration What about disabling selinux? Whoops, I probably should have caught these myself. Disabling SELinux fixed one of the hosts. I didn't even look at it because I believed that I had disabled it previously. The other problem host didn't have SELinux enabled but was missing the /etc/selinux/targeted directory structure and was dropping an error: [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/adminnik1F1(Sun Jun 2 18:01:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 25 Everything's working fine now -- thanks for looking at those logs. glad it helped, but it should also work with selinux enabled. Could you try running restorecon -rv on /etc and /home at least, re-enabling selinux and logging in again? For me and many others, it works and it really is the new 'best practices' to have it on ;-) -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
