On Mon, Jan 09, 2017 at 11:21:00AM +0100, rajat gupta wrote: > Hi, > > Error message is changed today. but same some are able to login but most of > the user are not. Please find the below logs form ipa2 server. > > /var/log/secure > > Jan 9 11:02:59 ilt-gif-ipa02 sshd[18942]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=x.x.x.x.x user=et33015 > Jan 9 11:02:59 ilt-gif-ipa02 sshd[18942]: pam_sss(sshd:auth): received for > user et33015: 6 (Permission denied) > Jan 9 11:02:59 ilt-gif-ipa02 sshd[18940]: error: PAM: Authentication > failure for et33015 from x.x.x.x.x > > ================================= > ... > (Mon Jan 9 11:02:59 2017) [sssd[be[ipa.preprod.local]]] [dp_req_done] > (0x0400): DP Request [PAM Preauth #1074]: Request handler finished [0]: > Success > (Mon Jan 9 11:02:59 2017) [sssd[be[ipa.preprod.local]]] [_dp_req_recv] > (0x0400): DP Request [PAM Preauth #1074]: Receiving request data. > (Mon Jan 9 11:02:59 2017) [sssd[be[ipa.preprod.local]]] > [dp_req_destructor] (0x0400): DP Request [PAM Preauth #1074]: Request > removed. > (Mon Jan 9 11:02:59 2017) [sssd[be[ipa.preprod.local]]] > [dp_req_destructor] (0x0400): Number of active DP request: 0 > (Mon Jan 9 11:02:59 2017) [sssd[be[ipa.preprod.local]]] [dp_pam_reply] > (0x1000): DP Request [PAM Preauth #1074]: Sending result [4][ > corp.corpcommon.com] > (Mon Jan 9 11:02:59 2017) [sssd[be[ipa.preprod.local]]] > [child_sig_handler] (0x1000): Waiting for child [18952]. > (Mon Jan 9 11:02:59 2017) [sssd[be[ipa.preprod.local]]] > [child_sig_handler] (0x0100): child [18952] finished successfully.
Can you add the messages that follows here as well and the related messages from krb5_child.log? bye, Sumit > > > > On Mon, Jan 9, 2017 at 9:48 AM, rajat gupta <[email protected]> wrote: > > > few user are able to login. ipa ad-trust setup. > > > > ========================== > > Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking > > getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed - > > POSSIBLE BREAK-IN ATTEMPT! > > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: Invalid user et33015 from > > x.x.x.x > > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: input_userauth_request: invalid > > user et33015 [preauth] > > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: error: PAM: User not known to > > the underlying authentication module for illegal user et33015 from x.x.x.x > > Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: Failed keyboard-interactive/pam > > for invalid user et33015 from x.x.x.x port 51270 ssh2 > > Jan 6 10:48:56 ilt-gif-ipa02 sshd[22490]: Failed password for invalid > > user et33015 from 146.213.128.135 port 51270 ssh2 > > Jan 6 10:49:00 ilt-gif-ipa02 sshd[22490]: Failed password for invalid > > user et33015 from 146.213.128.135 port 51270 ssh2 > > Jan 6 10:49:02 ilt-gif-ipa02 sshd[22490]: Failed password for invalid > > user et33015 from 146.213.128.135 port 51270 ssh2 > > Jan 6 10:49:32 ilt-gif-ipa02 sshd[22490]: Connection closed by x.x.x.x > > [preauth] > > ============================ > > > > ==================== > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > > [get_server_status] (0x1000): Status of server > > 'ilt-gif-ipa01.ipa.preprod.local' is 'working' > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [get_port_status] > > (0x1000): Port status of port 0 for server 'ilt-gif-ipa01.ipa.preprod.local' > > is 'not working' > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > > [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > > [be_resolve_server_done] (0x1000): Server resolution failed: [5]: > > Input/output error > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > > [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 > > [Input/output error]) > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline] > > (0x2000): Going offline! > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_mark_offline] > > (0x2000): Initialize check_if_online_ptask. > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] [be_ptask_create] > > (0x0400): Periodic task [Check if online (periodic)] was created > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > > [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling > > task 72 seconds from now [1483696200] > > (Fri Jan 6 10:48:48 2017) [sssd[be[ipa.preprod.local]]] > > [be_run_offline_cb] (0x0080): Going offline. Running callbacks > > > > ================= > > > > cat /etc/sssd/sssd.conf > > [domain/ipa.preprod.local] > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = ipa.preprod.local > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = ilt-gif-ipa02.ipa.preprod.local > > chpass_provider = ipa > > ipa_server = _srv_, ilt-gif-ipa01.ipa.preprod.local > > ldap_tls_cacert = /etc/ipa/ca.crt > > debug_level = 9 > > > > > > [sssd] > > default_domain_suffix = corp.corpcommon.com > > services = nss, sudo, pam, ssh > > debug_level = 9 > > > > > > domains = ipa.preprod.local > > [nss] > > override_homedir = /home/%u > > debug_level = 9 > > > > > > > > [pam] > > debug_level = 9 > > > > > > [sudo] > > > > [autofs] > > > > [ssh] > > debug_level = 9 > > > > > > [pac] > > > > [ifp] > > =============== > > > > i am able to getent and kinit for all of the AD user. but most of the > > user are not able to login via ssh /ad-password > > > > getent passwd et33015 > > [email protected]:*:1007629326:1007629326:Th Sub:/home/et33015: > > > > and > > > > kinit [email protected] <http://corp.corpcommon.com/> > > > > > > > > > -- > > *Rajat Gupta * > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
