I have installed freeipa client on workstation that I have been using for a while. Existing user name is same as freeIpa registered user.
After freeIpa installation, my registered user is unable to use ssh (even to itself) ssh under different user which is not registered under ipa (like root) works fine. Unfortunately cannot check other registered users of ipa as it does not accept their password for some reason (but it does pick up their full name from IPA server).
I have tried removing ~/.ssh or /var/lib/sss/db/* but that did not help.
> ssh myipaserver -vvvvv OpenSSH_7.9p1, OpenSSL 1.1.1a FIPS 20 Nov 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 2: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-] debug3: kex names ok: [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 myipaserver debug1: identity file /home/myuser/.ssh/id_rsa type -1 debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1 debug1: identity file /home/myuser/.ssh/id_dsa type -1 debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1 debug1: identity file /home/myuser/.ssh/id_ecdsa type -1 debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/myuser/.ssh/id_ed25519 type -1 debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1 debug1: identity file /home/myuser/.ssh/id_xmss type -1 debug1: identity file /home/myuser/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.9 debug1: ssh_exchange_identification: \033[H\033[2J\033[3JSSH-2.0-OpenSSH_7.9 debug1: ssh_exchange_identification: debug1: ssh_exchange_identification: \262O\026\211\326jz\017\322\001n\246 debug1: ssh_exchange_identification: nge-sha1,diffie-hellman-group14-sha1 debug1: ssh_exchange_identification: chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc debug1: ssh_exchange_identification: ,hmac-sha2-512 ssh_exchange_identification: Connection closed by remote host
package freeipa-server is not installed freeipa-client-4.7.2-1.fc29.x86_64 package ipa-server is not installed package ipa-client is not installed package 389-ds-base is not installed package pki-ca is not installed package krb5-server is not installed 4.20.6-200.fc29.x86_64
server:
freeipa-server-4.7.2-1.fc29.x86_64 freeipa-client-4.7.2-1.fc29.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.21-1.fc29.x86_64 pki-ca-10.6.9-1.fc29.noarch krb5-server-1.16.1-25.fc29.x86_64 4.20.8-200.fc29.x86_64
myuser@client$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: myuser@HOME.MYDOMAIN.COM Valid starting Expires Service principal 19/02/19 01:22:00 20/02/19 01:17:52 ldap/ipaserver.home.mydomain.com@HOME.MYDOMAIN.COM 19/02/19 01:17:58 20/02/19 01:17:52 krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM myuser@client$ kinit admin Password for admin@HOME.MYDOMAIN.COM: myuser@client$ klist Ticket cache: KEYRING:persistent:1000:krb_ccache_2NHy688 Default principal: admin@HOME.MYDOMAIN.COM Valid starting Expires Service principal 19/02/19 02:28:56 20/02/19 02:28:53 krbtgt/HOME.MYDOMAIN.COM@HOME.MYDOMAIN.COM
Please note that issues at pagure.io/freeipa aren't used for a project support. Please consider using freeipa-users@ mailing list for that instead.
In addition, FreeIPA itself is not responsible for the operations on the client after installation. Please see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to troubleshoot common issues from SSSD point of view.
Metadata Update from @abbra: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
thanks for suggestion @abbra . I went through troubleshooting page and found nothing. I have tried mailing list but for till today didn't get approval from moderator (I wish there would be something accessible for people to get support, people are scattered from reddit to serverfault).
I did though find similar issue from 2016: https://www.redhat.com/archives/freeipa-users/2016-January/msg00277.html and similarly for me - commenting out "ProxyCommand" makes ssh working for me as well but that does not look like proper solution and use from that mailing list suggests submitting a bug ticket.
If you still find that it does not suit here, then sorry and I will wait patiently for moderators approval on mailing list.
Metadata Update from @tmdag: - Issue status updated to: Open (was: Closed)
The subscription page is here: https://lists.fedoraproject.org/admin/lists/freeipa-users.lists.fedorahosted.org/ There is no need to wait for a moderator at all.
You did not provide any logs that could help diagnosing your issues -- SSSD troubleshooting guide has enough details how to do so. Please generate debug logs for SSSD (pam, nss, and domain sections) and post them to the list.
thanks @abbra ! I landed in https://www.redhat.com/mailman/listinfo/freeipa-users and I have missed info that it was deprecated, my bad.
Login to comment on this ticket.