I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html
When I try to log in with the admin user I get the "Unauthorized" error. The logs say:
==> ssl_error_log <== [Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 10.65.150.250:33802] PAM account validation failed for user admin: Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_tra...
On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html
When I try to log in with the admin user I get the "Unauthorized" error. The logs say:
==> ssl_error_log <== [Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 10.65.150.250:33802] PAM account validation failed for user admin: Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_tra...
Well, as it says, PAM validation failed. You need to look into sssd logs to see what was wrong. Most likely you have no HBAC rule that allows to login to ipsilon for your users. Did you create one? You need to create HBAC service 'ipsilon' and then an HBAC rule to govern access to this service on the machine where ipsilon is deployed.
On 17.01.19 10:09, Alexander Bokovoy wrote:
On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html
When I try to log in with the admin user I get the "Unauthorized" error. The logs say:
==> ssl_error_log <== [Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client 10.65.150.250:33802] PAM account validation failed for user admin: Permission denied, referer: https://ipa-ipsilon.linux.mydomain.at/idp/login/gssapi/negotiate?ipsilon_tra...
Well, as it says, PAM validation failed. You need to look into sssd logs to see what was wrong. Most likely you have no HBAC rule that allows to login to ipsilon for your users. Did you create one? You need to create HBAC service 'ipsilon' and then an HBAC rule to govern access to this service on the machine where ipsilon is deployed.
Thanks a lot for pointing me in the right direction. I am already logged in. As we are still not using IPA productively I did not come to my mind...
Cheers, Ronald
freeipa-users@lists.fedorahosted.org