Hello All,
I have a LXC container running Centos7, fully patched that i can't login into in a standard IPA usage configuration: Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied for user nuno 4 (System error) Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from 172.16.0.10 port 54461 ssh2 Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by PAM account configuration [preauth] Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 [preauth] Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 user=nuno Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:account): Access denied for user nuno: 4 (System error) Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired for nuno from 172.16.3.253 Before the patching I was able to login without any issue with this user. The user or password are not expired, and continue to work perfectly on other systems Centos7 without the patch. This only appears on LXC systems. I've tried to install a fresh centos7 on KVM and it works perfectly. I've done a fresh LXC deployment, and the issue remains. The workaround I found is to comment out the following line on /etc/pam.d/password-auth: #account [default=bad success=ok user_unknown=ignore] pam_sss.so Without this line I am able to login perfectly. The versions are on the client side: Centos7 python2-ipalib-4.4.0-14.el7.centos.4.noarch sssd-ipa-1.14.0-43.el7_3.11.x86_64 python-iniparse-0.4-9.el7.noarch python-libipa_hbac-1.14.0-43.el7_3.11.x86_64 ipa-common-4.4.0-14.el7.centos.4.noarch ipa-client-common-4.4.0-14.el7.centos.4.noarch python2-ipaclient-4.4.0-14.el7.centos.4.noarch libipa_hbac-1.14.0-43.el7_3.11.x86_64 ipa-client-4.4.0-14.el7.centos.4.x86_64 ipa-python-compat-4.4.0-14.el7.centos.4.noarch python-ipaddress-1.0.16-2.el7.noarch On the IPA server: Centos7 python-libipa_hbac-1.14.0-43.el7_3.4.x86_64 python-iniparse-0.4-9.el7.noarch sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 ipa-admintools-4.4.0-14.el7.centos.noarch ipa-server-4.4.0-14.el7.centos.x86_64 ipa-client-common-4.4.0-14.el7.centos.noarch python-ipaddress-1.0.16-2.el7.noarch python2-ipaclient-4.4.0-14.el7.centos.noarch python2-ipaserver-4.4.0-14.el7.centos.noarch python2-ipalib-4.4.0-14.el7.centos.noarch ipa-server-common-4.4.0-14.el7.centos.noarch ipa-server-dns-4.4.0-14.el7.centos.noarch ipa-python-compat-4.4.0-14.el7.centos.noarch libipa_hbac-1.14.0-43.el7_3.4.x86_64 ipa-common-4.4.0-14.el7.centos.noarch I think it might be lxc permissions related. I am using the lxc template for Centos7: lxc.cap.drop = sys_nice sys_pacct sys_rawio What am I missing? Thanks for your help. Nuno
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
