Hi,
I just freshly installed Rocky 9.4 and installed FreeIPA server on it. I added a user, enabled user, changed the password, and set the policy using FreeIPA. However, when I try to login with that password, it doesn’t prompt for a new password. It just says permission denied:
my_user@Desktop:~$ ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no pacific.caps.int
my_user@pacific.caps.int's password:
Permission denied, please try again.
Logging in with a key-pair works fine. Before the new install, I had Rocky 9.1 and I didn’t have an issue with password change. I haven’t made any changes to any of the configuration for sssd, sshd, FreeIPA, or Kerberos. All of the configurations are default settings. FreeIPA version is 4.11.0-15.el9_4. SSSD version is 2.9.4-6.el9_4.1.
In the krb5_child.log, I see:
(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x4000): [RID#15183] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1].
(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x4000): [RID#15183] Prompt [0][Password for my_user@CAPS.INT].
(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x0200): [RID#15183] Prompter interface isn't used for prompting by SSSD.Returning the expected error [-1765328254/Cannot read password].
sssd.conf:
[domain/caps.int]
id_provider = ipa
ipa_server_mode = True
ipa_server = pacific.caps.int
ipa_domain = caps.int
ipa_hostname = pacific.caps.int
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo
domains = caps.int
[nss]
homedir_substring = /home
memcache_timeout = 600
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[session_recording]
sshd_config:
Include /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/openssh/sftp-server
sshd_config.d/04-ipa.conf:
PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
sshd_config.d/50-redhat.conf
Include /etc/crypto-policies/back-ends/opensshserver.config
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
I tried commenting out the “ChallengeResponseAuthentication no” in the 50-redhat.conf file and restarting sshd. However, that made no difference. I’ve been looking through the sssd, sssd-ipa, and sshd_config pages and haven’t found any configuration options that might affect the ability to set the password. Any help will be appreciated.