I am trying to set up an IPA environment with a CentOS 7.3 server and clients and I am experiencing a behavior that I am not able to understand. I am using IPA version 4.4.0.
I was able to run ipa-server-install
on the server and ipa-client-install
on the client without any problems. Then I added a new user foo
in addition to the already existing user admin
, which is set up automatically by IPA for administration purposes.
Now to the odd part:
I am able to get a Kerberos ticket with kinit <user>
for both admin
and foo
, also on the client machine. So it seems like the setup has succeeded, I am able to obtain a Kerberos ticket on all hosts and if logged in as root, a su - foo
also works without problems. Also, when I try to log in over ssh to the IPA server machine, say ssh foo@servermachine
, it works like a charm. However, if I try log in to the IPA client machine, i.e. ssh foo@clientmachine
I get disconnected immediately:
! user@machine >ssh foo@clientmachine
Password:
foo@clientmachine's password:
Connection closed by 172.27.0.104
Interestingly, ssh asks for the password twice. ssh -vvv
after the second password attempt yields:
foo@clientmachine's password:
debug3: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
debug2: we sent a password packet, wait for reply
Connection closed by 172.27.0.104
The more interesting side is on the client (ssh server), where journalctl -xeft sshd
shows this message after entering the password for the first time:
Jun 29 15:53:00 clientmachine sshd[5464]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com user=foo
Jun 29 15:53:00 clientmachine sshd[5464]: pam_krb5[5464]: TGT verified using key for 'host/clientmachine@REALM'
Jun 29 15:53:00 clientmachine sshd[5464]: pam_krb5[5464]: authentication succeeds for 'foo' (foo@REALM)
Jun 29 15:53:01 clientmachine sshd[5464]: pam_sss(sshd:account): Access denied for user foo: 4 (System error)
Jun 29 15:53:01 clientmachine sshd[5461]: error: PAM: User account has expired for foo from machine.domain.com
and the second time:
Jun 29 15:56:10 clientmachine sshd[5483]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com user=foo
Jun 29 15:56:10 clientmachine sshd[5483]: pam_krb5[5483]: TGT verified using key for 'host/clientmachine@REALM'
Jun 29 15:56:10 clientmachine sshd[5483]: pam_krb5[5483]: authentication succeeds for 'foo' (foo@REALM)
Jun 29 15:56:10 clientmachine sshd[5483]: Failed password for foo from 10.128.34.50 port 55327 ssh2
Jun 29 15:56:10 clientmachine sshd[5483]: fatal: Access denied for user foo by PAM account configuration [preauth]
I have double-checked that the account is not expired and moreover, as stated before, login as user foo via ssh works without problems if I connect to the IPA server machine. The respective sshd
log:
Jun 29 16:00:11 servermachine sshd[29995]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com user=foo
Jun 29 16:00:11 servermachine sshd[29992]: Accepted keyboard-interactive/pam for foo from 10.128.34.50 port 34662 ssh2
Jun 29 16:00:11 servermachine sshd[29992]: pam_unix(sshd:session): session opened for user foo by (uid=0)
Summarizing:
kinit foo
on server machine: Workskinit foo
on client machine: Workssu - foo
when logged in as root on server machine: Workssu - foo
when logged in as root on client machine: Worksssh foo@servermachine
: Worksssh foo@clientmachine
: Does not work!, ssh client gets disconnected immediately
I am not able to understand what is going on and I would appreciate any help!
Best Answer
You should not use
pam_krb5
in parallel topam_sss
. Why do you have it configured?