Elhamsadat Azarian wrote:
Hi Rob Thank you for helping I disabled default HBAC rule and add a new rule that user "elham" could login and ssh on hosts "ipa-client and ipa-server" Now it can ssh to ipa-server but still it had problem with ipa-client. So rules couldnt solve my problem.
I don't know what to tell you without more details.
rob
On Tue, 15 Oct 2019, 16:44 Rob Crittenden, <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Please keep freeipa-users in the responses. Elhamsadat Azarian wrote: > Hi Rob > I did it and i got this answer: > > Access granted : false > > What can i do now? IPA ships with a default HBAC rule, allow_all, which allows all users to authenticate on all hosts. I can only assume you've deleted or disabled that, and that's fine. But if you do then you need to create the set of rules to grant access to hosts for the appropriate users. To provide specific assistance you'd need to share a bit of internal details, current HBAC rules, etc. It is understandable if you can't do that. But basically you need to evaluate your HBAC rules to find out why this user can't log into hosts. The user may be missing from a group, for example. rob > > On Mon, 14 Oct 2019, 18:07 Rob Crittenden, <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Elhamsadat Azarian wrote: > > I tryed to add HBAC rules to my user but it said : some operation > > failed. Users cannot be added when user category = all > > Adding list back. > > Try something like: > > ipa hbactest --user elham --service ssh --host <your host> > > There is an equivalent way to do it in the UI. > > rob > > > > > On Wed, 9 Oct 2019, 17:19 Rob Crittenden, <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: > > > > Kevin Vasko via FreeIPA-users wrote: > > > Have you made sure your “elham” user has the correct permissions > > to access the machines? Take a look in the UI at the > > groups/permissions that user elham has. Take a look at your HBAC > > rules as well. That would be my first recommendation to check > if it > > was me. > > > > Right, and the troubleshooting page suggests that (and > increasing debug > > logging). > > > > Please provide the output of the things you have already > looked at. > > > > rob > > > > > > > > -Kevin > > > > > >> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via > FreeIPA-users > > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> wrote: > > >> > > >> ### Request for enhancement > > >> as a Linux admin i want to login into my ipa client with a user > > that is defined in ipa-server UI. > > >> > > >> ### Issue > > >> I installed Ipa-server and an Ipa-client on CentOS7.6 > > >> I defined Internal DNS on ipa-server and i defined A and PTR > > records for client on ipa-server. > > >> now i can see my client in ipa-UI and i defined a user with > name > > "elham" and i expect that it can login into ipa-client. > > >> when i login with root in ipa-client and i do sudo elham, it > > works and kinit elham works too but > > >> when i do ssh into ipa-client with this user, it show > "Access denied" > > >> i have errors with this context: > > >> pam_reply : authentication failure to the client > > >> pam_sss: authentication falure > > >> > > >> im tired of this issue. please help me if you know the > solution. > > >> > > >> #### Steps to Reproduce > > >> 1. define new user "elham" in ipa UI > > >> 2. SSH to ipa-client with elham > > >> 3. access denied > > >> > > >> #### Actual behavior > > >> (what happens) > > >> > > >> #### Expected behavior > > >> login into ipa-client successfully > > >> > > >> #### Version/Release/Distribution > > >> ipa-server 4.6.5-11.el7 > > >> ipa-client 4.6.4-10.el7.centos.3 > > >> Log files and config files are added below: > > >> > > >> > > >> > > >> krb5.conf > > >> ------------ > > >> #File modified by ipa-client-install > > >> > > >> includedir /etc/krb5.conf.d/ > > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > > >> > > >> > > >> [logging] > > >> default = FILE:/var/log/krb5libs.log > > >> kdc = FILE:/var/log/krb5kdc.log > > >> admin_server = FILE:/var/log/kadmind.log > > >> [libdefaults] > > >> default_realm = LSHS.DC > > >> dns_lookup_realm = false > > >> dns_lookup_kdc = false > > >> rdns = false > > >> ticket_lifetime = 24h > > >> forwardable = yes > > >> allow_weak_crypto = true > > >> default_ccache_name = KEYRING:persistent:%{uid} > > >> > > >> [realms] > > >> LSHS.DC = { > > >> kdc = ipa-irvlt01.example.dc:88 > > >> admin_server = ipa-irvlt01.example.dc:749 > > >> default_domain = example.dc > > >> } > > >> [domain_realm] > > >> .example.com <http://example.com> <http://example.com> <http://example.com> = > LSHS.DC > > >> example.com <http://example.com> <http://example.com> <http://example.com> = LSHS.DC > > >> ############################################ > > >> > > >> > > >> sssd.conf > > >> ------------- > > >> [domain/example.dc] > > >> > > >> cache_credentials = True > > >> krb5_store_password_if_offline = True > > >> ipa_domain = example.dc > > >> id_provider = ipa > > >> auth_provider = ipa > > >> access_provider = ipa > > >> ldap_tls_cacert = /etc/ipa/ca.crt > > >> ipa_hostname = ipacli-irvlt01.example.dc > > >> chpass_provider = ipa > > >> dyndns_update = True > > >> ipa_server = _srv_, ipa-irvlt01.example.dc > > >> dyndns_iface = ens160 > > >> dns_discovery_domain = example.dc > > >> > > >> debug_level = 10 > > >> [sssd] > > >> ########### AFTER IPA ################### > > >> #services = nss, sudo, pam, ssh > > >> services = nss, pam > > >> config_file_version = 2 > > >> ######################################### > > >> domains = example.dc > > >> > > >> debug_level = 10 > > >> [nss] > > >> homedir_substring = /home > > >> > > >> [pam] > > >> debug_level = 10 > > >> > > >> [sudo] > > >> > > >> [autofs] > > >> > > >> [ssh] > > >> > > >> [pac] > > >> > > >> [ifp] > > >> > > >> [secrets] > > >> > > >> [session_recording] > > >> > > >> ########################################## > > >> > > >> > > >> _______________________________________________ > > >> FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > >> To unsubscribe send an email to > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > >> Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >> List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > To unsubscribe send an email to > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > >
freeipa-users@lists.fedorahosted.org