### Request for enhancement
as a Linux admin i want to login into my ipa client with a user that is defined
in ipa-server UI.
### Issue
I installed Ipa-server and an Ipa-client on CentOS7.6
I defined Internal DNS on ipa-server and i defined A and PTR records for client
on ipa-server.
now i can see my client in ipa-UI and i defined a user with name "elham" and i
expect that it can login into ipa-client.
when i login with root in ipa-client and i do sudo elham, it works and kinit
elham works too but
when i do ssh into ipa-client with this user, it show "Access denied"
i have errors with this context:
pam_reply : authentication failure to the client
pam_sss: authentication falure
im tired of this issue. please help me if you know the solution.
#### Steps to Reproduce
1. define new user "elham" in ipa UI
2. SSH to ipa-client with elham
3. access denied
#### Actual behavior
(what happens)
#### Expected behavior
login into ipa-client successfully
#### Version/Release/Distribution
ipa-server 4.6.5-11.el7
ipa-client 4.6.4-10.el7.centos.3
Log files and config files are added below:
krb5.conf
------------
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LSHS.DC
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
LSHS.DC = {
kdc = ipa-irvlt01.example.dc:88
admin_server = ipa-irvlt01.example.dc:749
default_domain = example.dc
}
[domain_realm]
.example.com = LSHS.DC
example.com = LSHS.DC
############################################
sssd.conf
-------------
[domain/example.dc]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.dc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipacli-irvlt01.example.dc
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa-irvlt01.example.dc
dyndns_iface = ens160
dns_discovery_domain = example.dc
debug_level = 10
[sssd]
########### AFTER IPA ###################
#services = nss, sudo, pam, ssh
services = nss, pam
config_file_version = 2
#########################################
domains = example.dc
debug_level = 10
[nss]
homedir_substring = /home
[pam]
debug_level = 10
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
##########################################
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
