On Tue, Feb 19, 2019 at 06:19:18PM +0100, Morgan Marodin via FreeIPA-users wrote:
Hi everybody.
I have just upgraded my cluster from FreeIPA 4.4.0-14 to 4.6.4-10.
All is good, logging via IPA credentials, HBAC and sudo rules are working.
I have only a issue logging via SSH with AD credentials. Before the upgrade
all was working well.
I think that the trust is ok, because *kinit*, *ipa hbactest* and *ipa
trustdomain-find* (on both ipa servers) are working well:
*[root@mlv-ipasrv01 ~]# ipa trustdomain-find
MYDOMAIN.COM
<
http://MYDOMAIN.COM> Domain name:
mydomain.com <
http://mydomain.com>
Domain NetBIOS name: MYDOMAIN Domain Security Identifier:
S-1-5-21-3367759252-2451474351-126822339 Domain enabled:
True----------------------------Number of entries returned
1----------------------------[root@mlv-ipasrv01 ~]# ipa hbactest
--user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>
--host=mlv-testipa01.ipa.mydomain.com
<
http://mlv-testipa01.ipa.mydomain.com>Service:
sshd--------------------Access granted: True-------------------- Matched
rules: allow_ad_ipa_admins Not matched rules: allow_ad_ipa_apps Not
matched rules: allow_ipa_it_mysite[root@mlv-testipa01 ~]# kinit
morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Password for
morgan.marodin(a)mydomain.com
<morgan.marodin@mydomain.com>:[root@mlv-testipa01 ~]# klistTicket cache:
KEYRING:persistent:0:0Default principal: morgan.marodin(a)MYDOMAIN.COM
<morgan.marodin(a)MYDOMAIN.COM>Valid starting Expires
Service principal02/19/2019 17:55:23 02/20/2019 03:55:23
krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM <MYDOMAIN.COM(a)MYDOMAIN.COM> renew
until 02/20/2019 17:55:18*
This is the error log:
*[root@mlv-testipa01 ~]# tail -f /var/log/secureFeb 19 18:03:21
mlv-testipa01 sshd[378408]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252
user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Feb 19
18:03:21 mlv-testipa01 sshd[378408]: pam_sss(sshd:account): Access denied
for user morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>: 6
(Permission denied)
This is returned by SSSD, please add debug_level=9 to the [domain/...]
section of sssd.conf, restart, SSSD and try to login again. In the
domain log you should find the evaluation of the HBAC rules which might
explain why access was denied.
Feb 19 18:03:21 mlv-testipa01 sshd[378401]: error: PAM:
User account has expired for morgan.marodin(a)mydomain.com
<morgan.marodin(a)mydomain.com> from 192.168.100.252
I'm not sure where this message comes from. I had a short look at the
ssh and PAM source code, but so far didn't find a matching messages.
bye,
Sumit
Feb 19 18:03:21
mlv-testipa01 sshd[378401]: fatal: monitor_read: unpermitted request 104*
It seems a problem with pam and sssd.
Do you have any suggestions?
Thanks, bye.
Morgan
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...