On Wed, Mar 10, 2021 at 03:48:34AM -0000, Sam Bell via FreeIPA-users wrote: > I have a small FreeIPA setup and user login works ok on the client systems. > Recently, I wanted to add a new machine as a client. > I loaded Fedora 33 on the machine and installed freeipa-client. Installation > seems to be ok and I can see all users with find-user > on the client system. However, when existing users try to log in into the new > client machine via ssh, it shows the error permission denied. > These users can login to old client machines and server (to check) without > any problems. To debug the problem, I created new user accounts > and they seem to log in with all client machines (old + new) without any > trouble. DNS for the machines are set through hosts file. > > I don't have deep knowledge about this stuff but after reading some online > threads here are few things I tried: > 1. Updated to server (Fedora) to latest packages. > 2. Made sure new client machine is chrony/ntp synchronized with server. > 3. Tried enabling pre-authentication for old user on server. > 4. kinit admin; ipa user-find --all lists all freeipa users on new client > machine. > 5. Set debug_level of sssd to 9. > > Checking krb5_child.log shows: > For old users with failed authentication: > [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] > num_prompts [1] EINVAL. > [sss_krb5_prompter] (0x4000): Prompt [0][Password for [email protected]]. > [krb5_child[2789]] [sss_krb5_prompter] (0x0020): Cannot handle password > prompts. > [sss_child_krb5_trace_cb] (0x4000): [2789] 1615347264.001283: Preauth module > spake (151) (real) returned: -1765328254/Cannot read password
Hi, the above output only contains some details for debugging but typically does not indicate an issue. Can you send the full krb5_child.log? bye, Sumit > > For newly created users, these logs are bit more detailed and in general, > show success of authentication. > > I am not sure which part to focus on to debug this problem. > Any help/suggestions are appreciated. > Thank you. > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
