[root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] (4): Found address for server idm-master-els.ops.boingo.com: [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished successfully. (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working' (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com' as 'working' (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): Going online. Running callbacks. (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [delayed_online_authentication_callback] (5): Backend is online, starting delayed online authentication. (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success
I see this in the sssd Logs but still not authenticating will check out AVC and SELinux very frustrating ________________________________________ From: Rob Crittenden <[email protected]> Sent: Monday, March 31, 2014 3:52 PM To: Todd Maugh; [email protected] Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate Todd Maugh wrote: > HBAC rules are set to allow_all enabled Ok. I'd start with increasing the sssd log level and see what it says. I gather that basic nss works since you can kinit as other users. You may want to check for SELinux AVCs as well. rob > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Monday, March 31, 2014 3:44 PM > To: Todd Maugh; [email protected] > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and > enrolled to new server cant authenticate > > Todd Maugh wrote: >> Hi, >> >> I have a rhel5 client I had problems with my IPA environment and had >> to rebuild >> >> I'm on the latest version of IPA with a red hat 6 server >> >> I successfully enrolled the client to the new server (same domain, >> same >> realm) I had removed all old certs, sysrestores, and ipa/default.conf >> >> I can ssh to the box as root, and then either su or kinit to any IPA >> user with out issue >> >> But when I try to ssh as the ipauser to the box it gives me permission >> denied, please try again >> >> I cleared out the sssd cache and restarted sssd >> >> Is there something I'm missing or a log to check? >> >> I need to worked this out before I move forward enrolling other >> previously enrolled clients. > > Check your HBAC rules. > > rob > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
