WHAT HAPPENED:
Hello all, I recently re-deployed FreeIPA server & clients due to an issue where an
IPA created user wasn't able to SSH into their home directory (permission denied).
There were several solutions that mentioned to run "authselect enable-feature
with-mkhomedir" or "sudo authconfig --enablemkhomedir --update". At the
time, none of these worked because a) authselect wasn't available on my system and I
didn't think to install it b) authconfig was available but didn't work.
ISSUE:
I decided to redeploy the entire freeIPA deployment with "sudo
ipa-server-install/ipa-client-install --mkhomedir" and now I can't authenticate
to IPA clients with an IPA created user. I wasn't able to authenticate to the IPA
server either until I spin up a new VM and reinstalled it.
As of now, I have an IPA server (vipa.homelab.internal - 192.168.254.198) and client
(vpdns.homelab.internal - 192.168.254.33). I can authenticate the user "ldo" to
vipa.homelab.internal via SSH but unable to do so for vpdns.homelab.internal.
RELATED THREAD:
I stumbled upon some old threads with users facing a similar issue but they weren't
getting anywhere.
1.
https://listman.redhat.com/archives/freeipa-users/2014-December/msg00197....
2.
https://listman.redhat.com/archives/freeipa-users/2015-March/015895.html
3.
https://listman.redhat.com/archives/freeipa-users/2015-March/016247.html
I believe the 1st link is the issue I might have (SSSD/PAM is somehow misconfigured).
Others have pointed out that "sudo ipa-client-install/ipa-server-install
--uninstall" is not a clean process which I believe might have caused some
misconfiguration. I'm not familiar with SSSD/PAM on how they should be configured.
I'm hoping this is where I can get help on.
Below are my SSH logs and /var/log/secure from vpdns.homelab.internal
SSH LOGS
[ldo@vipa ~]$ ssh -v ldo(a)vpdns.homelab.internal
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 62: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22
vpdns.homelab.internal
debug1: permanently_drop_suid: 1860400001
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ldo/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to vpdns.homelab.internal:22 as 'ldo'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: client->server cipher: chacha20-poly1305(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:CmN1AtdcdqAbPxZNE8lEdpZSVOsBlzhel9cfHwS3j9M
debug1: Host 'vpdns.homelab.internal' is known and matches the ECDSA host key.
debug1: Found key in /home/ldo/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server host/vpdns.homelab.internal(a)HOMELAB.INTERNAL not found in Kerberos database
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ldo/.ssh/id_rsa
debug1: Trying private key: /home/ldo/.ssh/id_dsa
debug1: Trying private key: /home/ldo/.ssh/id_ecdsa
debug1: Trying private key: /home/ldo/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Password:
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Password:
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: password
ldo(a)vpdns.homelab.internal's password:
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Permission denied, please try again.
ldo(a)vpdns.homelab.internal's password:
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Permission denied, please try again.
ldo(a)vpdns.homelab.internal's password:
Received disconnect from UNKNOWN port 65535:2: Too many authentication failures
Authentication failed.
/var/log/secure
Mar 20 15:24:39 vpdns sshd[9511]: pam_sss(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=192.168.254.198 user=ldo
Mar 20 15:24:39 vpdns sshd[9511]: pam_sss(sshd:auth): received for user ldo: 7
(Authentication failure)
Mar 20 15:24:42 vpdns sshd[9509]: error: PAM: Authentication failure for ldo from
192.168.254.198
Mar 20 15:24:45 vpdns sshd[9514]: pam_sss(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=192.168.254.198 user=ldo
Mar 20 15:24:45 vpdns sshd[9514]: pam_sss(sshd:auth): received for user ldo: 7
(Authentication failure)
Mar 20 15:24:47 vpdns sshd[9509]: error: PAM: Authentication failure for ldo from
192.168.254.198
Please let me know if I need to provide any additional information or logs. Do kindly
specify where I can get them as well since I'm just starting out in Linux and FreeIPA.
Thank you all in advance.