Hi all,
I'm facing some problems with connecting AD user to Linux host via ssh. I already configure the trust between IPA server and AD. I create an external group "*grp_dba*" to point on AD group I create a posix group "*admindba*" that contain the external group I create a HBAC rule "*allow_dba*" to allow the group to access the host. I did an HBAC test and it tells me that the access is granted to the user. On the Client host, id, getent and even su work. but I still can't do an ssh! Can you please guide me? Thank you in advance. Here some commands that I used and logs ---------- *on IPA server :* [root@idm01 ~]# *ipa group-show admindba* Group name: admindba GID: 336200005 Member groups: grp_dba Member of HBAC rule: allow_dba [root@idm01 ~]# *ipa hbactest [email protected] --host=zabbix.linux.dz.corp --service=sshd* -------------------- Access granted: True -------------------- Matched rules: allow_dba *On Client host :* [root@zabbix ~]# *id [email protected]* uid=1790001108([email protected]) gid=1790001108([email protected]) groups=1790001108([email protected]),1790000513(domain [email protected] ),336200005(admindba),1790001107([email protected]) [root@zabbix ~]# *geten [email protected]* getenforce getent [root@zabbix ~]# *getent passwd [email protected]* [email protected] :*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01: [root@zabbix ~]# *getent group [email protected]* [email protected]:*:1790001108: [root@zabbix ~]# *su - [email protected]* Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1 *[[email protected]@zabbix ~]$ logout* [root@zabbix ~]# [root@zabbix ~]# *journalctl -e* Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos Cache Manager... Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos Cache Manager. Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 [email protected] Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): received for user [email protected]: 6 (Permission denied) Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM: Authentication failure for [email protected] from 192.168.122.1 Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed keyboard-interactive for [email protected] from 192.168.122.1 port 43908 ssh2 [preauth] Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by authenticating user [email protected] 192.168.122.1 port 43908 [preauth] ------- Best regards,
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
