Re: [Freeipa-users] Admin password not accepted during replica install
When this command failed for me, it usually was a problem with SSSD on the master. The service was down, offline or simply something wrong was with it. On the master, I would try: $ id admin $ ssh admin@localhost # (with password) If that works, try manual $ ssh admin@ipa.master.server # with password and $ kinit admin #(you can use temporary krb5.conf pointing to IPA master) $ ssh admin@ipa.master.server # with password to see what's really wrong. Martin On 08/01/2015 11:05 PM, Matt . wrote: I even checked working version (IPA clusters) and they don't even have this AllowGroups. Am I missing something ? 2015-08-01 22:52 GMT+02:00 Janelle janellenicol...@gmail.com: which points to the configuration of sssd.conf and/or nsswitch.conf It is in there. If you say there are no AllowGroups in sshd, it has to be in one of those 2 places. ~J On 8/1/15 1:26 PM, Matt . wrote: kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com: lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15 1:05 PM, Matt . wrote: This actually the most important part, and the GSS Failure concerns me: debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin@ipa-01.domain.local's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com: What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply ssh -vvv will help. ~J On 8/1/15 12:51 PM, Matt . wrote: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file. If you do, add the admins group. Also, make sure on the master, that the /etc/nsswitch.conf was properly updated. Several server installs I have done, have left off the sss for passwd, group and shadow. passwd: files sss shadow: files sss group: files sss I bet one of those will fix your problem. Restart sssd and/of sshd if you have to make changes. ~Janelle On 8/1/15 10:13 AM, Matt . wrote: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired,
Re: [Freeipa-users] Admin password not accepted during replica install
Have you considered clock skew? It is probably not the cause here, but is worth eliminating just in case. A difference as small as 5 minutes between the clocks of the client and server can cause problems with authentication. Chris From: Martin Kosek mko...@redhat.com To: Matt . yamakasi@gmail.com, Janelle janellenicol...@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 03.08.2015 08:49 Subject:Re: [Freeipa-users] Admin password not accepted during replica install Sent by:freeipa-users-boun...@redhat.com When this command failed for me, it usually was a problem with SSSD on the master. The service was down, offline or simply something wrong was with it. On the master, I would try: $ id admin $ ssh admin@localhost # (with password) If that works, try manual $ ssh admin@ipa.master.server # with password and $ kinit admin #(you can use temporary krb5.conf pointing to IPA master) $ ssh admin@ipa.master.server # with password to see what's really wrong. Martin On 08/01/2015 11:05 PM, Matt . wrote: I even checked working version (IPA clusters) and they don't even have this AllowGroups. Am I missing something ? 2015-08-01 22:52 GMT+02:00 Janelle janellenicol...@gmail.com: which points to the configuration of sssd.conf and/or nsswitch.conf It is in there. If you say there are no AllowGroups in sshd, it has to be in one of those 2 places. ~J On 8/1/15 1:26 PM, Matt . wrote: kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com: lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15 1:05 PM, Matt . wrote: This actually the most important part, and the GSS Failure concerns me: debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin@ipa-01.domain.local's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com: What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply ssh -vvv will help. ~J On 8/1/15 12:51 PM, Matt . wrote: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh
[Freeipa-users] Admin password not accepted during replica install
Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Admin password not accepted during replica install
What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply ssh -vvv will help. ~J On 8/1/15 12:51 PM, Matt . wrote: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file. If you do, add the admins group. Also, make sure on the master, that the /etc/nsswitch.conf was properly updated. Several server installs I have done, have left off the sss for passwd, group and shadow. passwd: files sss shadow: files sss group: files sss I bet one of those will fix your problem. Restart sssd and/of sshd if you have to make changes. ~Janelle On 8/1/15 10:13 AM, Matt . wrote: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Admin password not accepted during replica install
lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15 1:05 PM, Matt . wrote: This actually the most important part, and the GSS Failure concerns me: debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin@ipa-01.domain.local's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com: What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply ssh -vvv will help. ~J On 8/1/15 12:51 PM, Matt . wrote: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file. If you do, add the admins group. Also, make sure on the master, that the /etc/nsswitch.conf was properly updated. Several server installs I have done, have left off the sss for passwd, group and shadow. passwd: files sss shadow: files sss group: files sss I bet one of those will fix your problem. Restart sssd and/of sshd if you have to make changes. ~Janelle On 8/1/15 10:13 AM, Matt . wrote: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Admin password not accepted during replica install
Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file. If you do, add the admins group. Also, make sure on the master, that the /etc/nsswitch.conf was properly updated. Several server installs I have done, have left off the sss for passwd, group and shadow. passwd: files sss shadow: files sss group: files sss I bet one of those will fix your problem. Restart sssd and/of sshd if you have to make changes. ~Janelle On 8/1/15 10:13 AM, Matt . wrote: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Admin password not accepted during replica install
kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com: lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15 1:05 PM, Matt . wrote: This actually the most important part, and the GSS Failure concerns me: debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin@ipa-01.domain.local's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com: What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply ssh -vvv will help. ~J On 8/1/15 12:51 PM, Matt . wrote: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file. If you do, add the admins group. Also, make sure on the master, that the /etc/nsswitch.conf was properly updated. Several server installs I have done, have left off the sss for passwd, group and shadow. passwd: files sss shadow: files sss group: files sss I bet one of those will fix your problem. Restart sssd and/of sshd if you have to make changes. ~Janelle On 8/1/15 10:13 AM, Matt . wrote: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Admin password not accepted during replica install
which points to the configuration of sssd.conf and/or nsswitch.conf It is in there. If you say there are no AllowGroups in sshd, it has to be in one of those 2 places. ~J On 8/1/15 1:26 PM, Matt . wrote: kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com: lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15 1:05 PM, Matt . wrote: This actually the most important part, and the GSS Failure concerns me: debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin@ipa-01.domain.local's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com: What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply ssh -vvv will help. ~J On 8/1/15 12:51 PM, Matt . wrote: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file. If you do, add the admins group. Also, make sure on the master, that the /etc/nsswitch.conf was properly updated. Several server installs I have done, have left off the sss for passwd, group and shadow. passwd: files sss shadow: files sss group: files sss I bet one of those will fix your problem. Restart sssd and/of sshd if you have to make changes. ~Janelle On 8/1/15 10:13 AM, Matt . wrote: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Admin password not accepted during replica install
I even checked working version (IPA clusters) and they don't even have this AllowGroups. Am I missing something ? 2015-08-01 22:52 GMT+02:00 Janelle janellenicol...@gmail.com: which points to the configuration of sssd.conf and/or nsswitch.conf It is in there. If you say there are no AllowGroups in sshd, it has to be in one of those 2 places. ~J On 8/1/15 1:26 PM, Matt . wrote: kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com: lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15 1:05 PM, Matt . wrote: This actually the most important part, and the GSS Failure concerns me: debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa ((nil)), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password admin@ipa-01.domain.local's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com: What is in the logs on the machine that is failing? Can you login to admin from anywhere? Logs are you best friend. Also, a simply ssh -vvv will help. ~J On 8/1/15 12:51 PM, Matt . wrote: Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file. If you do, add the admins group. Also, make sure on the master, that the /etc/nsswitch.conf was properly updated. Several server installs I have done, have left off the sss for passwd, group and shadow. passwd: files sss shadow: files sss group: files sss I bet one of those will fix your problem. Restart sssd and/of sshd if you have to make changes. ~Janelle On 8/1/15 10:13 AM, Matt . wrote: Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project