[Freeipa-users] New users can't log into Centos client

[Thomas,Dave]

Thanks, Rob. It's strange, then, that it works on the Fedora 10 clients, because Challenge-Response is disabled in sshd_config on those machines as well...
-Dave
________________________________________
From: Rob Crittenden [rcritten at redhat.com]

> Thomas,Dave wrote:
>> Hi,
>>
>> I've got two FreeIPA (1.2.1) servers running on Fedora 10, with some FreeIPA clients running on CentOS 5.2 and some clients on Fedora 10 (all with FreeIPA 1.2.1) Everything seems to be working fine, except when a new user tries to log in for the first time.
>>
>> If a new user (or someone who had their password reset) tries to ssh into one of the CentOS clients, it  (which are the only clients our remote users log into) it says "Permission denied, please try again." If the same user tries to log into one of the Fedora clients or one of the FreeIPA servers, They are asked to change their password as usual. Also, if I su to a new user account, it will let me change the password as normal, even on the CentOS clients, so I'm thinking that there is something that is not configured right in ssh. This same thing also happened when I had Redhat IPA installed on the CentOS clients.
>>
>> On the CentOS Machines, I've installed nss-ldap 261-4 and python-kerberos 1.1-3.1 compiled from the fedora 10 source rpms.
>>
>> Does anyone know what is causing this behavior? It's not a show-stopper, but it would be nice to get this solved.
>
>You need to enable Challenge-Response in sshd:
>
>http://freeipa.org/page/AdministratorsGuide#Using_Password_Authentication
>
>rob