I have a small FreeIPA setup and user login works ok on the client systems. Recently, I wanted to add a new machine as a client. I loaded Fedora 33 on the machine and installed freeipa-client. Installation seems to be ok and I can see all users with find-user on the client system. However, when existing users try to log in into the new client machine via ssh, it shows the error permission denied. These users can login to old client machines and server (to check) without any problems. To debug the problem, I created new user accounts and they seem to log in with all client machines (old + new) without any trouble. DNS for the machines are set through hosts file.
I don't have deep knowledge about this stuff but after reading some online threads here are few things I tried: 1. Updated to server (Fedora) to latest packages. 2. Made sure new client machine is chrony/ntp synchronized with server. 3. Tried enabling pre-authentication for old user on server. 4. kinit admin; ipa user-find --all lists all freeipa users on new client machine. 5. Set debug_level of sssd to 9. Checking krb5_child.log shows: For old users with failed authentication: [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. [sss_krb5_prompter] (0x4000): Prompt [0][Password for [email protected]]. [krb5_child[2789]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. [sss_child_krb5_trace_cb] (0x4000): [2789] 1615347264.001283: Preauth module spake (151) (real) returned: -1765328254/Cannot read password For newly created users, these logs are bit more detailed and in general, show success of authentication. I am not sure which part to focus on to debug this problem. Any help/suggestions are appreciated. Thank you. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
