Hello, guys,
I am running FreeIPA at home, and I can enroll clients just fine. The issue I am facing, however, is with Fedora. If I have it enrolled, I can only log in with the single user I have set in the enterprise login. No other FreeIPA user is able to log in. When you try to log in with any other account, you get the message “Sorry, password authentication didn’t work, please try again,” even when the password is 100% correct. I am only facing this with Fedora; Ubuntu and openSUSE work just fine, and people are, in fact, able to log in.
Additionally, when attempting to log in with a FreeIPA user, it does display the user’s full name as set in FreeIPA, indicating that a connection is present.
EDIT: Figured it out. for some reason on fedora inside sssd.conf it automatically adds “simple_allow_users” and on ubuntu and opensuse it doesn’t do this. Removing this single line in the config file allows other users to login.
Did you make sure that you enabled “Any host” in the login parameters (or whatever it’s called, I forget) or specified the host that you’re trying to log into using your user?
Yep. The accounts don’t have permissions to log into the machine.
OP needs to fix the perms in FreeIPA. There are several ways todo this, and I’m not around a FreeIPA server at the moment.
I found the allow_all rule that is enabled. Mind you it is only on fedora I seem to have this issue with. Ubuntu and opensuse users can login just fine.
That doesn’t change the fix.
The accounts need to be allowed to login to the host in FreeIPA.
Is this something you set on the client it self or on the freeipa server for the host?. I never set such a option for any client though. i did enroll the other clients with the “freeipa-client-install” command and tried fedora with the initial setup. so their might be a difference in it how to enrolls?
Ah, my apologies - that was for sudo rules. No, I don’t think you’d need to define that whilst setting up the user.
Maybe this video will help you a bit: https://www.youtube.com/watch?v=GAHVU42ouOE&t=335s
Also, check the authentication methods you enabled for the user
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=GAHVU42ouOE&t=335s
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
I found the allow_all rule and it is enabled.