On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users
wrote:
> hi guys
>
> I think it was asked on the list before but I still cannot find the thread.
>
> Should AD's users be able to login to IPA's clients(non-replica) in a
> pretty vanilla setup? Those users can login to IPA masters okey.
>
> I have not created any HBACs yet, nor added new hostgroups etc.
>
> When I ssh to IPA's client that client denies that user & shows:
>
> pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control
step 'pam_sss(sshd:account)'. For auth there should be only a few cases
like an expired unser in AD, but in this case login to the IPA masters
shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...]
section of sssd.conf on the client, restart SSSD, try to authentication
and send the logs from /var/log/sssd.
bye,
Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh
auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs.
(Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000):
commit ldb transaction (nesting: 0)
(Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done]
(0x0100): Backend is marked offline, retry later!
(Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]]
[check_wait_queue] (0x1000): Wait queue for user [pawel(a)mine.private] is
empty.
..
does the above give out any clues?
many thanks, L.
> ...
>
> many thanks, L.
>
> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
> 93059F241EEEE1D0769A85F455918ABF21224EBA
> uid lejeczek <peljasz(a)yahoo.co.uk>
> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...