[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Dale Macartney dale at themacartneyclan.com
Sat Feb 23 22:40:03 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 02/23/2013 10:36 PM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Even folks
>>
>> I've verified this both in a kickstart and via manual install to verify
>> any user error on my part.
>>
>> I have a clean installation of RHEL 6.4 for an IPA domain of example.com
>>
>> I also have several clients which are also clean installs of rhel 6.4
>> and although I can see ipa users via getent and even acquire a tgt's
>> successfully, I am unable to login with any ipa user on any ipa member
>> server.
>>
>> I see the same results for any type of login attempt, e.g. gnome desktop
>> or ssh
>>
>> My client installation is done by this command.
>>
>> ipa-client-install -U -p admin -w redhat123 --mkhomedir
--enable-dns-updates
>>
>> IPA client version 3.0.0-25
>> SSSD version 1.9.2-82
>>
>>
>> Logs from client as as follows.
>>
>> ==> /var/log/secure <==
>> Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.0.1.254 user=admin
>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
>> message: Your password will expire in 89 day(s).
>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
>> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.0.1.254 user=admin
>>
>> ==> /var/log/btmp <==
>> s ssh:nottyadmin10.0.1.254@>)Q
>> ?
>> ==> /var/log/secure <==
>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
>> denied for user admin: 4 (System error)
>> Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
>> 10.0.1.254 port 55554 ssh2
>> Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
>> admin by PAM account configuration
>>
>> ==> /var/log/Xorg.0.log <==
>> [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
>> from local host ( uid=42 gid=42 pid=1958 )
>> Auth name: MIT-MAGIC-COOKIE-1 ID: 284
>> [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected
>>
>> ==> /var/log/messages <==
>> Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
>> stratum 5
>> Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
>> stratum 11
>>
>>
>> interactive shell output as follows
>>
>> [mac at rhodey ~]$ ssh admin at 10.0.1.102
>> admin at 10.0.1.102's password:
>> Your password will expire in 89 day(s).
>> Connection closed by 10.0.1.102
>> [mac at rhodey ~]$
>>
>>
>> Am I doing something rather trivially wrong or is there something fishy
>> going on here?
>>
>> Thanks in advance.
>
> I'd check your HBAC configuration.
>
> rob
>
That is actually the very first thing I did. As it is a 100% clean
installation of IPA, plus the addition of one user and one IPA replica.

all users are granted access to all hosts.

[root at ds01 ~]# ipa hbacrule-find
- -------------------
1 HBAC rule matched
- -------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE
- ----------------------------
Number of entries returned 1
- ----------------------------
[root at ds01 ~]#



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKUVAAAoJEAJsWS61tB+qmMwQAJgO3zJsbQkKqhgdj6qjfvbH
EJHQOCEA55Mf2FgY4cUjeOj2oulny3HLxFQJql6OGYOk73zx48JR0VZdalyXp4Jc
bUKkog+5jnamcEpm5qcRfvpLrITayamqMTgPzvOdrCWnVYSNTxjA07y7Sh/ZOpK5
XSsYTaMBKFLsE20CAE/a/PPJpL/43fP59+nK0yGgClwA5V3FIMBLZo7WKOGFsVJK
lK+Couo3FPwiThp3klHudokQ4w24MdDc9aNKz4ZatcnqHK9nXeBNIya8FdYAtMqT
Us6Lzkq0YOk7IKFU5qgqUtkXuCmRfRLZDZYngpug4S97S0wmG7eo191VPliKsCOO
CuWDaSDtUMbD5li7yzUEnhwUOI+9tLSD98rTO7oqGADQQqvmgz78/A9uQAVfRSIS
7PpmqUsl2pdC1XZ7Vy0K6vrqc7ojQkwwlFVmvY+TMBs2ukKrDz38bnRzfevxpZNe
pm77dn8iF2NGqGpPqbrRvXwenIqi35j/6adBhGtDkAkdSKFXyZbDXRms+ro3oxXI
StrYPHy4td02Fe4MyFrc3s7uIJvYuZGB+ULRKDAptnZetKhaP58VoapQJYrKrxdd
N5hqf4EMwQ9b++Y5Bf9fzlA4osIDgf3uS+8/orL0KuXBq0vGYMqyTDE9leRMqamh
ruH0DYhFtmabbPzxv7uA
=sdSi
-----END PGP SIGNATURE-----




More information about the Freeipa-users mailing list