1

I have two FreeIPA servers running on Centos 7 - one a master the other a replica. I can create a new user account on the master using e.g. the GUI and it appears on both servers, is active and not locked. I can login using the FreeIPA gui on either server. I can login using ssh onto the master server and any domain clients, but when I (try to) ssh login on the replica I get the following in /var/log/secure:

date time server sshd[pid]: pam_sss(sshd:auth): authentication success; .... user=testuser

date time server sshd[pid]: pam_sss(sshd:account): Access denied for user testuser: 4 (System error)

date time server sshd[pid]: error: PAM: User account has expired for testuser from ip

The sssd configuration are logically equivalent, as in the entries refer to the master and replica. The krb5.conf files are logically equivalent in that the server entries refer to the master and replica. the password-auth files in /etc/pam.d are identical. Both new and existing accounts behave in the same way. sshd config files are identical.

I'm missing something .. any ideas ?

rabidstoat
  • 11
  • 1
  • 2

1 Answers1

1

As far as I can tell from here...

This is is your real error:

date time server sshd[pid]: pam_sss(sshd:account): Access denied for user testuser: 4 (System error)

And this is sshd having a guess (and almost certainly guessing wrong):

date time server sshd[pid]: error: PAM: User account has expired for testuser from ip

sshd is calling PAM.

The account test is 'supposed' to check for expired accounts. However, it can reject a user for any number of reasons, of which account expiry is just one possibility.

And for whatever reason, it failed. sshd is assuming that it failed because the account has expired, but that's far from the only possibility.

For example, if the user is valid and the password is right, but there's no hbac rule allowing this particular user to ssh to this particular host, then the password check passes, but the account check fails, and this error results.

Ben Aveling
  • 125
  • 4