[Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users

Wed, 25 Feb 2015 12:04:55 -0800 

I am having trouble logging in with an IPA user on Solaris 10.  The
machine is able to correctly initialize tickets using kinit.  The issue
appears to be PAM related.  I am using FreeIPA 4.1.3.

I have tried to follow the instructions here as best I can :
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html

Here is my kinit and klist tests
--------------------------------
$ kinit ipauser1
Password for [email protected]:
[07:45 PM] ipaclient5-sandbox-atdev-van:/var/log$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting                Expires                Service principal
02/25/15 19:45:10  02/26/15 19:45:10  krbtgt/[email protected]
        renew until 03/04/15 19:45:10

Here is the last 2 lines of the output of getent passwd showing my ipa
admin and user
-------------------------------------------------------------------------------------
admin:x:375200000:375200000:Administrator:/home/admin:/bin/bash
ipauser1:x:375200006:375200006:ipa user1:/home/ipauser1:/bin/bash


However, this is what happens when I try to login as 'ipauser1'.  On the
console I am prompted with 'Password:' I enter the valid password, and
suddenly Putty pops up a window 'Server unexpectedly closed network
connection'.  If I try to login as [email protected] it still fails,
but in a different way.  The putty window stays open and I get an 'Access
denied' message and am prompted for the password again:

Logs with 'ipauser1'
--------------------
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.info] Connection from 10.5.5.57 port 57607 on 10.21.19.16 port
22
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: Client protocol version 2.0; client software
version PuTTY_Release_0.63
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: no match: PuTTY_Release_0.63
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
[preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: server_input_channel_req: channel 0 request
[email protected] reply 1
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_by_channel: session 0 channel 0
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_input_channel_req: session 0 req
[email protected]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: KEX done [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: userauth-request for user ipauser1 service
ssh-connection method none [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: attempt 0 failures 0 [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: PAM: initializing for "ipauser1"
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
781331 auth.debug] PAM[761]: pam_start(sshd,ipauser1,811c170:812b8e0) -
debug = 1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:service)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:user)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:conv)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: PAM: setting PAM_RHOST to "10.5.5.57"
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:rhost)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: PAM: setting PAM_TTY to "ssh"
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
496445 auth.debug] PAM[761]: pam_set_item(812b8e0:tty)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: userauth-request for user ipauser1 service
ssh-connection method keyboard-interactive [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: attempt 1 failures 0 [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: keyboard-interactive devs  [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: auth2_challenge: user=ipauser1 devs= [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.debug] debug1: auth2_challenge_start: trying authentication
method 'pam' [preauth]
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
120752 auth.debug] PAM[763]: pam_set_item(812b8e0:conv)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
690215 auth.debug] PAM[763]: pam_authenticate(812b8e0, 1)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
130555 auth.debug] PAM[763]: load_modules(812b8e0,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
149594 auth.debug] PAM[763]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
776247 auth.debug] PAM[763]: pam_get_user(812b8e0, 812b8e0, NULL)
Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
800047 auth.info] Postponed keyboard-interactive for ipauser1 from
10.5.5.57 port 57607 ssh2 [preauth]
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
120752 auth.debug] PAM[763]: pam_set_item(812b8e0:authtok)
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net last message
repeated 1 time
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start:
user='ipauser1'
Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: server_input_channel_req: channel 0 request
window-change reply 0
Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_by_channel: session 0 channel 0
Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_input_channel_req: session 0 req
window-change

Logs with [email protected]
------------------
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Connection from 10.5.5.57 port 57655 on 10.21.19.16 port
22
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: Client protocol version 2.0; client software
version PuTTY_Release_0.63
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: no match: PuTTY_Release_0.63
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256
none [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
[preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: KEX done [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: userauth-request for user
[email protected] service ssh-connection method none [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: attempt 0 failures 0 [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Invalid user [email protected] from 10.5.5.57
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] input_userauth_request: invalid user
[email protected] [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: PAM: initializing for "[email protected]"
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
781347 auth.debug] PAM[765]:
pam_start(sshd,[email protected],811c170:812d610) - debug = 1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:service)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:user)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:conv)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: PAM: setting PAM_RHOST to "10.5.5.57"
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:rhost)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: PAM: setting PAM_TTY to "ssh"
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
645040 auth.debug] PAM[765]: pam_set_item(812d610:tty)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: userauth-request for user
[email protected] service ssh-connection method keyboard-interactive
[preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: attempt 1 failures 0 [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: keyboard-interactive devs  [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge: [email protected]
devs= [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge_start: trying authentication
method 'pam' [preauth]
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
269347 auth.debug] PAM[767]: pam_set_item(812d610:conv)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
690217 auth.debug] PAM[767]: pam_authenticate(812d610, 1)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
130556 auth.debug] PAM[767]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
278576 auth.debug] PAM[767]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
896806 auth.debug] PAM[767]: pam_get_user(812d610, 812d610, NULL)
Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Postponed keyboard-interactive for invalid user
[email protected] from 10.5.5.57 port 57655 ssh2 [preauth]
Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: server_input_channel_req: channel 0 request
[email protected] reply 1
Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_by_channel: session 0 channel 0
Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
800047 auth.debug] debug1: session_input_channel_req: session 0 req
[email protected]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
269347 auth.debug] PAM[767]: pam_set_item(812d610:authtok)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net last message
repeated 1 time
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
account present for user
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
account present for user
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
219349 auth.debug] pam_unix_auth: user [email protected] not found
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
account present for user
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
269347 auth.debug] PAM[767]: pam_set_item(812d610:authtok)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.error] error: PAM: No account present for user for illegal
user [email protected] from 10.5.5.57
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Failed keyboard-interactive/pam for invalid user
[email protected] from 10.5.5.57 port 57655 ssh2
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: userauth-request for user
[email protected] service ssh-connection method keyboard-interactive
[preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: attempt 2 failures 1 [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: keyboard-interactive devs  [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge: [email protected]
devs= [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.debug] debug1: auth2_challenge_start: trying authentication
method 'pam' [preauth]
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
531491 auth.debug] PAM[768]: pam_set_item(812d610:conv)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
561236 auth.debug] PAM[768]: pam_authenticate(812d610, 1)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
195047 auth.debug] PAM[768]: load_modules(812d610,
pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
502849 auth.debug] PAM[768]: load_function: successful load of
pam_sm_authenticate
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
251960 auth.debug] PAM[768]: pam_get_user(812d610, 812d610, NULL)
Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
800047 auth.info] Postponed keyboard-interactive for invalid user
[email protected] from 10.5.5.57 port 57655 ssh2 [preauth]



Here is my /etc/krb5.conf file
------------------------------
[libdefaults]
        default_realm = IPADOMAIN.NET
        dns_lookup_kdc = true

[realms]
        IPADOMAIN.NET = {
        kdc = 10.21.19.20
        admin_server = 10.21.19.20
        }

[domain_realm]
        .ipadomain.net = IPADOMAIN.NET
        ipadomain.net = IPADOMAIN.NET

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

Here is my /etc/pam.conf

(please note that some stuff is commented out for troubleshooting.  I have
tried with everything uncommented and it doesn't work. I have also tried
following about 10 different ways to configure PAM that I have seen in
other forum posts where people were having Solaris troubles and have not
found the magic combination yet.
------------------------

#
#ident  "@(#)pam.conf   1.31    07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
#login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_krb5.so.1 debug
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
#rlogin  auth requisite          pam_authtok_get.so.1
#rlogin  auth required           pam_dhkeys.so.1
#rlogin  auth required           pam_unix_cred.so.1
#rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
#krlogin auth required           pam_unix_cred.so.1
#krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
#rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
#krsh    auth required           pam_unix_cred.so.1
#krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
#ktelnet auth required           pam_unix_cred.so.1
#ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
#ppp     auth requisite          pam_authtok_get.so.1
#ppp     auth required           pam_dhkeys.so.1
#ppp     auth required           pam_unix_cred.so.1
#ppp     auth required           pam_unix_auth.so.1
#ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1 debug
other   auth required           pam_dhkeys.so.1 debug
other   auth required           pam_unix_cred.so.1 debug
other   auth sufficient         pam_krb5.so.1 debug
other   auth required           pam_unix_auth.so.1 debug
#
# passwd command (explicit because of a different authentication module)
#
#passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
#cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1 debug
other   account required        pam_unix_account.so.1 debug
#other   account sufficient      pam_ldap.so.1
other   account required        pam_krb5.so.1 debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_mkhomedir.so.1 skel=/etc/skel/ umask=0027
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
#other   password required       pam_dhkeys.so.1
#other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1 force_check
other   password sufficient     pam_krb5.so.1 debug
other   password required       pam_authtok_store.so.1




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to