Mustapha Aissat via FreeIPA-users wrote: > Hi all, > > > I'm facing some problems with connecting AD user to Linux host via ssh. > > > I already configure the trust between IPA server and AD. > > I create an external group "*grp_dba*" to point on AD group > > I create a posix group "*admindba*" that contain the external group > > I create a HBAC rule "*allow_dba*" to allow the group to access the host. > > > I did an HBAC test and it tells me that the access is granted to the > user. On the Client host, id, getent and even su work. but I still can't > do an ssh! > > > Can you please guide me? > > > Thank you in advance. > > > Here some commands that I used and logs > > ---------- > > _on IPA server :_ > > > [root@idm01 ~]# *ipa group-show admindba* > Group name: admindba > GID: 336200005 > Member groups: grp_dba > Member of HBAC rule: allow_dba > > > [root@idm01 ~]# *ipa hbactest [email protected] > --host=zabbix.linux.dz.corp --service=sshd* > -------------------- > Access granted: True > -------------------- > Matched rules: allow_dba > > > _On Client host :_ > > > [root@zabbix ~]# *id [email protected]* > uid=1790001108([email protected]) gid=1790001108([email protected]) > groups=1790001108([email protected]),1790000513(domain > [email protected]),336200005(admindba),1790001107([email protected]) > > > [root@zabbix ~]# *geten [email protected]* > getenforce getent > > > [root@zabbix ~]# *getent passwd [email protected]* > [email protected]:*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01: > > > [root@zabbix ~]# *getent group [email protected]* > [email protected]:*:1790001108: > > > [root@zabbix ~]# *su - [email protected]* > Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1 > *[[email protected]@zabbix ~]$ logout* > [root@zabbix ~]# > > > > [root@zabbix ~]# *journalctl -e* > > Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos > Cache Manager... > Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos > Cache Manager. > Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: > Ticket not yet valid
Looks to me like the system is not in time sync with the KDC. rob > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: > Ticket not yet valid > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: > Ticket not yet valid > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: > Ticket not yet valid > Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=192.168.122.1 [email protected] > Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): > received for user [email protected]: 6 (Permission denied) > Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM: > Authentication failure for [email protected] from 192.168.122.1 > Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed > keyboard-interactive for [email protected] from 192.168.122.1 port > 43908 ssh2 [preauth] > Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by > authenticating user [email protected] 192.168.122.1 port 43908 [preauth] > > > > ------- > > Best regards, > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
