Loi Do via FreeIPA-users wrote: > WHAT HAPPENED: > Hello all, I recently re-deployed FreeIPA server & clients due to an issue > where an IPA created user wasn't able to SSH into their home directory > (permission denied). There were several solutions that mentioned to run > "authselect enable-feature with-mkhomedir" or "sudo authconfig > --enablemkhomedir --update". At the time, none of these worked because a) > authselect wasn't available on my system and I didn't think to install it b) > authconfig was available but didn't work. > > ISSUE: > I decided to redeploy the entire freeIPA deployment with "sudo > ipa-server-install/ipa-client-install --mkhomedir" and now I can't > authenticate to IPA clients with an IPA created user. I wasn't able to > authenticate to the IPA server either until I spin up a new VM and > reinstalled it. > > As of now, I have an IPA server (vipa.homelab.internal - 192.168.254.198) and > client (vpdns.homelab.internal - 192.168.254.33). I can authenticate the user > "ldo" to vipa.homelab.internal via SSH but unable to do so for > vpdns.homelab.internal. > > RELATED THREAD: > I stumbled upon some old threads with users facing a similar issue but they > weren't getting anywhere. > 1. > https://listman.redhat.com/archives/freeipa-users/2014-December/msg00197.html > 2. https://listman.redhat.com/archives/freeipa-users/2015-March/015895.html > 3. https://listman.redhat.com/archives/freeipa-users/2015-March/016247.html > > I believe the 1st link is the issue I might have (SSSD/PAM is somehow > misconfigured). Others have pointed out that "sudo > ipa-client-install/ipa-server-install --uninstall" is not a clean process > which I believe might have caused some misconfiguration. I'm not familiar > with SSSD/PAM on how they should be configured. I'm hoping this is where I > can get help on. > > Below are my SSH logs and /var/log/secure from vpdns.homelab.internal > > SSH LOGS > [ldo@vipa ~]$ ssh -v [email protected] > OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 62: Applying options for * > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 > vpdns.homelab.internal > debug1: permanently_drop_suid: 1860400001 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_rsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_rsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_dsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_dsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_ecdsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_ecdsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_ed25519 type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/ldo/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_7.4 > debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 > debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 > debug1: Authenticating to vpdns.homelab.internal:22 as 'ldo' > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: algorithm: curve25519-sha256 > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 > debug1: kex: server->client cipher: [email protected] MAC: > <implicit> compression: none > debug1: kex: client->server cipher: [email protected] MAC: > <implicit> compression: none > debug1: kex: curve25519-sha256 need=64 dh_need=64 > debug1: kex: curve25519-sha256 need=64 dh_need=64 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: ecdsa-sha2-nistp256 > SHA256:CmN1AtdcdqAbPxZNE8lEdpZSVOsBlzhel9cfHwS3j9M > debug1: Host 'vpdns.homelab.internal' is known and matches the ECDSA host key. > debug1: Found key in /home/ldo/.ssh/known_hosts:1 > debug1: rekey after 134217728 blocks > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: rekey after 134217728 blocks > debug1: SSH2_MSG_EXT_INFO received > debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > Server host/[email protected] not found in Kerberos > database > > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Trying private key: /home/ldo/.ssh/id_rsa > debug1: Trying private key: /home/ldo/.ssh/id_dsa > debug1: Trying private key: /home/ldo/.ssh/id_ecdsa > debug1: Trying private key: /home/ldo/.ssh/id_ed25519 > debug1: Next authentication method: keyboard-interactive > Password: > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > Password: > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > Password: > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: password > [email protected]'s password: > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > Permission denied, please try again. > [email protected]'s password: > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > Permission denied, please try again. > [email protected]'s password: > Received disconnect from UNKNOWN port 65535:2: Too many authentication > failures > Authentication failed. > > /var/log/secure > Mar 20 15:24:39 vpdns sshd[9511]: pam_sss(sshd:auth): authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.254.198 user=ldo > Mar 20 15:24:39 vpdns sshd[9511]: pam_sss(sshd:auth): received for user ldo: > 7 (Authentication failure) > Mar 20 15:24:42 vpdns sshd[9509]: error: PAM: Authentication failure for ldo > from 192.168.254.198 > Mar 20 15:24:45 vpdns sshd[9514]: pam_sss(sshd:auth): authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.254.198 user=ldo > Mar 20 15:24:45 vpdns sshd[9514]: pam_sss(sshd:auth): received for user ldo: > 7 (Authentication failure) > Mar 20 15:24:47 vpdns sshd[9509]: error: PAM: Authentication failure for ldo > from 192.168.254.198 > > Please let me know if I need to provide any additional information or logs. > Do kindly specify where I can get them as well since I'm just starting out in > Linux and FreeIPA. Thank you all in advance.
Did you re-enroll the existing clients in the new IPA server? That is necessary. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
