Hello list.
I'm a new user of FreeIPA trying to use it to manage SSH user
authentication in a cluster of CentOS machines.
I built a server dedicated to run FreeIPA server and have successfully
set it up. I'm able to get the web UI from it, and everything seems as
expected based on the docs.
I tried to enroll a CentOS 7 client to the new FreeIPA server so that I
can login to this client via SSH using the user accounts I created on
the FreeIPA server. This is where I hit a roadblock. The freeipa-client
install went as per the docs, but I'm unable to login via SSH.
Note:
My FreeIPA server is in a different domain than the client. and the
server and client are served by different DNS servers.
FreeIPA server: freeipa1.nghpc.dk
served by a DNS server ns1.nghpc.dk
resolves to an internal ip address 10.x.x.x
reverse lookup is also successful.
FreeIPA client: c10b01.ctrl.ghpc.dk
served by a DNS server dns.ghpc.dk
resolves to an internal ip address 10.x.x.x
reverse lookup is successful.
Added an additional DNS A record to the freeipa server and the client
can successfully resolve freeipa1.nghpc.dk
Trying to login to the newly enrolled client:
localmachine > ssh admin@c10b01
Password:
Password:
Password:
It keeps repeating the password prompts in spite of supplying the
correct password. No meaningful errors thrown either.
On the client,
here is how the krb5.conf looks like:
cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = NGHPC.DK
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NGHPC.DK = {
kdc = freeipa1.nghpc.dk:88
master_kdc = freeipa1.nghpc.dk:88
admin_server = freeipa1.nghpc.dk:749
kpasswd_server = freeipa1.nghpc.dk:464
default_domain = nghpc.dk
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.nghpc.dk = NGHPC.DK
nghpc.dk = NGHPC.DK
c10b01.ctrl.ghpc.dk = NGHPC.DK
.ctrl.ghpc.dk = NGHPC.DK
ctrl.ghpc.dk = NGHPC.DK
I do not see any errors in any of the logs at /var/log/ and
/var/log/sssd/
However, if I'm logged in as root on the client box, I can see that the
users I created on FreeIPA exist and are accessible.
[root@c10b01 ~]# id nasampath
uid=29756(nasampath) gid=1517 groups=1517
[root@c10b01 ~]# id admin
uid=1768600000(admin) gid=1768600000(admins) groups=1768600000(admins)
I can su into them fine. but not login as them over SSH.
I'm lost trying to troubleshoot this. Appreciate any help figuring out
where to look to understand what is going on..
Thanks,
--
Aravindh Sampathkumar
aravindh(a)fastmail.com
Show replies by date