FreeIPA Server & Client

stacksofplates

Are you using SSS for the client auth?

AlyRagab

@stacksofplates yes , and here is the content of /etc/sssd/sssd.conf

[domain/server.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.server.local
chpass_provider = ipa
ipa_server = srv, ipa.server.local
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = server.local
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

stacksofplates

Do you have an OTP set up for that user?

stacksofplates

Also, can you SSH in as the IPA user, without using su?

AlyRagab

@stacksofplates i can not login as ssh using the IPA user , after writing the password it gives this error :
Permission denied, please try again

AlyRagab

@stacksofplates also there is no any OTP Configuration on the IPA Server

stacksofplates

Can you post your /etc/pam.d/system-auth and password-auth configs?

AlyRagab

@stacksofplates the " /etc/pam.d/system-auth "

#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

=================================================

and " /etc/pam.d/password-auth "

#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

stacksofplates

Looks fairly normal. What's in your /etc/nsswitch.conf file?

stacksofplates

Also, if you log into the system with a different user, can you do a kinit ldapuser to get a kerberos ticket?

AlyRagab

@stacksofplates the " /etc/nsswitch.conf "

passwd: files sss
shadow: files sss
group: files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname

Example - obey only what nisplus tells us...

#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss

netgroup: files sss

publickey: nisplus

automount: files sss
aliases: files nisplus
sudoers: files sss

==============
also what make the case is very strange is that i can do kinit ldapuser normally and su - user
also getent passwd user
but can not login as ssh or GUI

AlyRagab

i think the main question here is : how can we allow the Enterprise Login ?

stacksofplates

Did you change the password for the user after you set it?

Can you log into the IPA web interface with that user?

AlyRagab

@stacksofplates said in FreeIPA Server & Client:

Did you change the password for the user after you set it?

Can you log into the IPA web interface with that user?

the password is changed in the first login
and also i can access the IPA web interface with that user

stacksofplates

It really sounds like it's something to do with pam. You can try doing an authconfig --update and see if that helps. If not, I'd just reinstall the ipa-client.

stacksofplates

Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

stacksofplates

This post is deleted!

stacksofplates

This post is deleted!

AlyRagab

@stacksofplates said in FreeIPA Server & Client:

Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
[root@client ~]# ipa user-find --all
ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

stacksofplates

@AlyRagab said in FreeIPA Server & Client:

@stacksofplates said in FreeIPA Server & Client:

Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
[root@client ~]# ipa user-find --all
ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

That's what I feared. I think to be able to run the IPA client on Fedora you will need to run the IPA server on Fedora server, not CentOS.

Or go the opposite and use CentOS 7 workstation instead of Fedora. I actually prefer the CentOS 7 workstation to Fedora, and I'm going to be switching back on my home laptop.