Hello, guys,
I am running FreeIPA at home, and I can enroll clients just fine. The issue I am facing, however, is with Fedora. If I have it enrolled, I can only log in with the single user I have set in the enterprise login. No other FreeIPA user is able to log in. When you try to log in with any other account, you get the message “Sorry, password authentication didn’t work, please try again,” even when the password is 100% correct. I am only facing this with Fedora; Ubuntu and openSUSE work just fine, and people are, in fact, able to log in.
Additionally, when attempting to log in with a FreeIPA user, it does display the user’s full name as set in FreeIPA, indicating that a connection is present.
EDIT: Figured it out. for some reason on fedora inside sssd.conf it automatically adds “simple_allow_users” and on ubuntu and opensuse it doesn’t do this. Removing this single line in the config file allows other users to login.
Did you make sure that you enabled “Any host” in the login parameters (or whatever it’s called, I forget) or specified the host that you’re trying to log into using your user?
Yep. The accounts don’t have permissions to log into the machine.
OP needs to fix the perms in FreeIPA. There are several ways todo this, and I’m not around a FreeIPA server at the moment.
I found the allow_all rule that is enabled. Mind you it is only on fedora I seem to have this issue with. Ubuntu and opensuse users can login just fine.
That doesn’t change the fix.
The accounts need to be allowed to login to the host in FreeIPA.
Is this something you set on the client it self or on the freeipa server for the host?. I never set such a option for any client though. i did enroll the other clients with the “freeipa-client-install” command and tried fedora with the initial setup. so their might be a difference in it how to enrolls?
Ah, my apologies - that was for sudo rules. No, I don’t think you’d need to define that whilst setting up the user.
Maybe this video will help you a bit: https://www.youtube.com/watch?v=GAHVU42ouOE&t=335s
Also, check the authentication methods you enabled for the user
I found the allow_all rule and it is enabled.
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=GAHVU42ouOE&t=335s
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
So what’s in the log? On the host, and on the freeipa server?
OP needs to allow the accounts to log into the host on the FreeIPA server.
I have a FreeIPA + Fedora setup and forgot to add the host to my host group which controls host access for standard accounts, and I got the same message.
I managed to get it working by uncommenting the line “simple_allow_users” inside sssd.conf on the client. Also as far as i can find the default allow_all rule should allow all users to login to all clients. (I have not configured any fine grained control yet)