[Freeipa-users] Re: Not sure if FreeIPA issue or something else - false account is expired message

Wed, 26 Aug 2020 15:46:29 -0700 

1) IPA version 4.5.4, sssd version 1.16.0
2) Yes, user in an AD user
Scott

________________________________
From: Rob Crittenden <rcrit...@redhat.com>
Sent: Wednesday, August 26, 2020 12:34 PM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Scott Z. <sud...@hotmail.com>
Subject: Re: [Freeipa-users] Not sure if FreeIPA issue or something else - 
false account is expired message

Scott Z. via FreeIPA-users wrote:
> It's happened 5 or 6 times over the past year that users attempting to
> log in to various Linux servers (using our IdM servers for
> authentication) are unable to do so.  When we look in the
> /var/log/secure file on the client servers, we see messages that look
> like this:
> /pam_unix(sshd:auth): authentication failure; logname= <balhblah>.../
> /pam_sss(sshd:auth): authentication success; logname= <blahblah>... /
> /pam_sss(sshd:account): User info message: Permission denied.
> /
> /pam_sss(sshd:account): system info: [The user account is expired on the
> AD server]/
> /pam_sss(sshd:account): Access denied for user <username>: 13 (User
> account has expired)/
> /pam_unix(sshd:auth): authentication failure; logname= <balhblah>.../
> /pam_sss(sshd:auth): authentication success; logname= <blahblah>... /
> /Failed password for <username> from <ip address> port 64452 ssh2/
> /fatal: Access denied for uesr <username> by PAM account configuration
> [preauth]/
>
> The users account is both good and valid, and his password is correct.Â
> The 'fix' for when we see this is to stop the sssd service, clear the
> local cache ("/rm -rf /var/lib/sss/db/*/"), and then restart the sssd
> service.  Once we do that, the user is able to log back in no problem.
>
> As far as I can tell this is a problem with the client server itself,
> NOT FreeIPA because I don't think the client is actually sending the
> login request back to the IdM server, but is there any way I can check
> on logs on the FreeIPA server to see if it's getting the authorization
> request to begin with?  I've only ever seen this on our Linux server
> that authorize through FreeIPA, not any other ones.
> Mahalo!

What version of IPA and sssd?

Is the user in fact an AD user?

rob


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to