It's happened 5 or 6 times over the past year that users attempting to log in
to various Linux servers (using our IdM servers for authentication) are unable
to do so. When we look in the /var/log/secure file on the client servers, we
see messages that look like this:
pam_unix(sshd:auth): authentication failure; logname= <balhblah>...
pam_sss(sshd:auth): authentication success; logname= <blahblah>...
pam_sss(sshd:account): User info message: Permission denied.
pam_sss(sshd:account): system info: [The user account is expired on the AD
server]
pam_sss(sshd:account): Access denied for user <username>: 13 (User account has
expired)
pam_unix(sshd:auth): authentication failure; logname= <balhblah>...
pam_sss(sshd:auth): authentication success; logname= <blahblah>...
Failed password for <username> from <ip address> port 64452 ssh2
fatal: Access denied for uesr <username> by PAM account configuration [preauth]
The users account is both good and valid, and his password is correct. The
'fix' for when we see this is to stop the sssd service, clear the local cache
("rm -rf /var/lib/sss/db/*"), and then restart the sssd service. Once we do
that, the user is able to log back in no problem.
As far as I can tell this is a problem with the client server itself, NOT
FreeIPA because I don't think the client is actually sending the login request
back to the IdM server, but is there any way I can check on logs on the FreeIPA
server to see if it's getting the authorization request to begin with? I've
only ever seen this on our Linux server that authorize through FreeIPA, not any
other ones.
Mahalo!
Scott
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
