On Tue, Jun 23, 2015 at 05:24:32PM +1000, [email protected] wrote: > Hi, > This is one odd issue?! > > Red Hat Enterprise Linux 7.1 > > #Server Side > Red Hat Enterprise Linux Server release 7.1 (Maipo) > ipa-server-4.1.0-18.el7_1.3.x86_64 > > #Client side > Fedora release 21 (Twenty One) > * freeipa-client-4.1.4-1.fc21.x86_64 > * sssd-client-1.12.4-3.fc21.x86_64 > > > Issue: > User cannot login to their PC > > Error: /var/log/secure > Jun 23 17:08:48 johnpc sshd[3591]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john > Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=john > Jun 23 17:08:48 johnpc sshd[3591]: pam_sss(sshd:auth): received for user > john: 7 (Authentication failure) > > However: > 1. Kerberous works; > kinit john > john@johnpc /etc/pam.d> klist > Ticket cache: KEYRING:persistent:365:365 > Default principal: [email protected] > > Valid starting Expires Service principal > 23/06/15 16:49:30 24/06/15 16:49:28 > krbtgt/[email protected] > > 2. LDAP works; > john@johnpc ~> getent passwd john > john:x:365:132::/home/john:/bin/bash > > 3. ssh to IPA server works with a password (so not relying on the kerberous > ticket); > john@erio ~> ssh john@sysvm-ipa1 > john@sysvm-ipa1's password: > Last login: Tue Jun 23 16:50:02 2015 from johnpc.example.exampleaus.com.au > > > Any advice would be greatly appreciated?
I think we need sssd logs here, please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. We need at least logs for the PAM responder ([pam] section in sssd.conf) and the backend ([domain/...] section in sssd.conf). bye, Sumit > > Regards, > > Craig > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
