WHAT HAPPENED: Hello all, I recently re-deployed FreeIPA server & clients due to an issue where an IPA created user wasn't able to SSH into their home directory (permission denied). There were several solutions that mentioned to run "authselect enable-feature with-mkhomedir" or "sudo authconfig --enablemkhomedir --update". At the time, none of these worked because a) authselect wasn't available on my system and I didn't think to install it b) authconfig was available but didn't work.
ISSUE: I decided to redeploy the entire freeIPA deployment with "sudo ipa-server-install/ipa-client-install --mkhomedir" and now I can't authenticate to IPA clients with an IPA created user. I wasn't able to authenticate to the IPA server either until I spin up a new VM and reinstalled it. As of now, I have an IPA server (vipa.homelab.internal - 192.168.254.198) and client (vpdns.homelab.internal - 192.168.254.33). I can authenticate the user "ldo" to vipa.homelab.internal via SSH but unable to do so for vpdns.homelab.internal. RELATED THREAD: I stumbled upon some old threads with users facing a similar issue but they weren't getting anywhere. 1. https://listman.redhat.com/archives/freeipa-users/2014-December/msg00197.html 2. https://listman.redhat.com/archives/freeipa-users/2015-March/015895.html 3. https://listman.redhat.com/archives/freeipa-users/2015-March/016247.html I believe the 1st link is the issue I might have (SSSD/PAM is somehow misconfigured). Others have pointed out that "sudo ipa-client-install/ipa-server-install --uninstall" is not a clean process which I believe might have caused some misconfiguration. I'm not familiar with SSSD/PAM on how they should be configured. I'm hoping this is where I can get help on. Below are my SSH logs and /var/log/secure from vpdns.homelab.internal SSH LOGS [ldo@vipa ~]$ ssh -v [email protected] OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 62: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 vpdns.homelab.internal debug1: permanently_drop_suid: 1860400001 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/ldo/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug1: Authenticating to vpdns.homelab.internal:22 as 'ldo' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:CmN1AtdcdqAbPxZNE8lEdpZSVOsBlzhel9cfHwS3j9M debug1: Host 'vpdns.homelab.internal' is known and matches the ECDSA host key. debug1: Found key in /home/ldo/.ssh/known_hosts:1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server host/[email protected] not found in Kerberos database debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/ldo/.ssh/id_rsa debug1: Trying private key: /home/ldo/.ssh/id_dsa debug1: Trying private key: /home/ldo/.ssh/id_ecdsa debug1: Trying private key: /home/ldo/.ssh/id_ed25519 debug1: Next authentication method: keyboard-interactive Password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive Password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive Password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: password [email protected]'s password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive Permission denied, please try again. [email protected]'s password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive Permission denied, please try again. [email protected]'s password: Received disconnect from UNKNOWN port 65535:2: Too many authentication failures Authentication failed. /var/log/secure Mar 20 15:24:39 vpdns sshd[9511]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.254.198 user=ldo Mar 20 15:24:39 vpdns sshd[9511]: pam_sss(sshd:auth): received for user ldo: 7 (Authentication failure) Mar 20 15:24:42 vpdns sshd[9509]: error: PAM: Authentication failure for ldo from 192.168.254.198 Mar 20 15:24:45 vpdns sshd[9514]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.254.198 user=ldo Mar 20 15:24:45 vpdns sshd[9514]: pam_sss(sshd:auth): received for user ldo: 7 (Authentication failure) Mar 20 15:24:47 vpdns sshd[9509]: error: PAM: Authentication failure for ldo from 192.168.254.198 Please let me know if I need to provide any additional information or logs. Do kindly specify where I can get them as well since I'm just starting out in Linux and FreeIPA. Thank you all in advance. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
