Albert Adams wrote:
Rob, There are no HBAC rules defined other than the default "allow_all" rule which has not been customized. It is a vanilla instal at this point. I have not added anything other than the replica, a few clients, one user group and the users to the system.
Ok. I would update the sssd debug level and restart it, then try the login again. On system2 are you able to use nss tools to identify IPA users (id, getent, etc)?
rob
On Thu, Dec 6, 2012 at 11:08 PM, Rob Crittenden <[email protected] <mailto:[email protected]>> wrote: Albert Adams wrote: I have a small IPA domain setup on RHEL 6 server with a FreeIPA server, a replica and two clients. There are six users setup in the domain. All users are able to login over SSH to both client systems. I am not using IPA to control sudo access. Sudo privilges are granted by group membership (group memberships are managed by IPA). So here is where it gets weird. Client Systems system1 - testuser1 can authenticate over SSH using public key,can login at the console, and CAN sudo (all other users are able to do the same) system2 - testuser1 can authenticate over SSH using public key and CANNOT login at the console or sudo (two out of six users can login and sudo) So for example: system1 - SSH, console and sudo access testuser1, testuser2, testuser3, testuser4, testuser5, testuser6 system2 - SSH access only testuser1, testuser2, testuser3, testuser4 system2 - SSH, console and sudo access testuser5, testuser6 All users have the same group memberships and use SSH keys to authenticate to the system. Errors when the user tries to sudo ------------------------------__------------------------------ /var/log/secure Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; COMMAND=/bin/su - Errors when the user tries to login at the console ------------------------------__------------------------------__- /var/log/secure Dec 6 19:53:56 ipa-client1 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for user testuser1: 4 (System error) Dec 6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR testuser1, Authentication failure I found this post and it looks similar but my /var/log/sssd/krb5_child.log is empty. https://www.redhat.com/__archives/freeipa-users/2012-__October/msg00004.html <https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html> The link to http://www.mail-archive.com/__sssd-devel%20lists%__20fedorahosted%20org/msg10176.__html <http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.html> was dead but I check the /tmp permissions like the guy in the forum post and they were: # ll -dZ /tmp/ drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp/ It's really puzzling that sudo works for some users but not others and it's only on one system. I've thought about enrolling additional systems to the IPA domain to determine if this one system is just a problem child but I'd rather get it ironed out before moving over any additional systems. Thanks in advance, Albert I would look to see if you have any Host-based access (HBAC) rules defined. This would explain the behavior. rob
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
