Hi list,
RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from
sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow the
existing HBAC rules to function.
Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 using
sssd-ipa?
Thanks.
Regards,
Siggi
[root@ipaclient sssd]# kinit -kt /etc/krb5.keytab
kinit(v5): Preauthentication failed while getting initial credentials
ipaserver krb5kdc log file:
/var/log/krb5kdc:
Nov 06 15:51:55 ipaserver1.realm.net <http://ipaserver1.realm.net/>
krb5kdc[10673](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13})
192.168.137.46: NEEDED_PREAUTH: host/ipaclient.realm....@realm.net
<mailto:host/ipaclient.realm....@realm.net> for krbtgt/realm....@realm.net
<mailto:krbtgt/realm....@realm.net>, Additional pre-authentication required
Nov 06 15:51:55 ipaserver1.realm.net <http://ipaserver1.realm.net/>
krb5kdc[10673](info): Doing certauth authorize for
[host/ipaclient.realm....@realm.net <mailto:host/ipaclient.realm....@realm.net>]
Nov 06 15:51:55 ipaserver1.realm.net <http://ipaserver1.realm.net/>
krb5kdc[10673](info): Got cert filter [(userCertificate;binary=xxxxxxx
Nov 06 15:51:55 ipaserver1.realm.net <http://ipaserver1.realm.net/>
krb5kdc[10673](info): No matching entry found
Nov 06 15:51:55 ipaserver1.realm.net <http://ipaserver1.realm.net/>
krb5kdc[10673](info): preauth (pkinit) verify failure: Certificate mismatch
Nov 06 15:51:55 ipaserver1.realm.net <http://ipaserver1.realm.net/>
krb5kdc[10673](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13})
192.168.137.46: PREAUTH_FAILED: host/ipaclient.realm....@realm.net
<mailto:host/ipaclient.realm....@realm.net> for krbtgt/realm....@realm.net
<mailto:krbtgt/realm....@realm.net>, Certificate mismatch
Nov 06 15:51:55 ipaserver1.realm.net <http://ipaserver1.realm.net/>
krb5kdc[10673](info): closing down fd 10
client sssd log files:
==> sssd_nss.log <==
(Mon Nov 6 16:18:23 2017) [sssd[nss]] [accept_fd_handler] (6): Client
connected!
(Mon Nov 6 16:18:23 2017) [sssd[nss]] [sss_cmd_get_version] (5): Received
client version [1].
(Mon Nov 6 16:18:23 2017) [sssd[nss]] [sss_cmd_get_version] (5): Offered
version [1].
(Mon Nov 6 16:18:23 2017) [sssd[nss]] [nss_cmd_getpwuid_search] (4):
Requesting info for [693200...@realm.net <mailto:693200...@realm.net>]
(Mon Nov 6 16:18:23 2017) [sssd[nss]] [sss_dp_send_acct_req_create] (4):
Sending request for [realm.net <http://realm.net/>][4097][1][idnumber=693200437]
==> ldap_child.log <==
(Mon Nov 6 16:18:24 2017) [[sssd[ldap_child[13376]]]]
[ldap_child_get_tgt_sync] (4): Principal name is:
[host/ipaclient.realm....@realm.net <mailto:host/ipaclient.realm....@realm.net>]
(Mon Nov 6 16:18:24 2017) [[sssd[ldap_child[13376]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Certificate mismatch
(Mon Nov 6 16:18:24 2017) [[sssd[ldap_child[13376]]]] [main] (1):
ldap_child_get_tgt_sync failed.
==> sssd_realm.net.log <==
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[read_pipe_handler] (6): EOF received, client finished
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[sdap_get_tgt_recv] (6): Child responded: 14 [Certificate mismatch], expired on
[0]
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[sdap_kinit_done] (4): Could not get TGT: 14 [Bad address]
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[sdap_cli_kinit_done] (6): Cannot get a TGT: ret [5] result [4]
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[fo_set_port_status] (4): Marking port 0 of server 'ipaserver1.realm.net
<http://ipaserver1.realm.net/>' as 'not working'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[fo_resolve_service_send] (4): Trying to resolve service 'IPA'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_server_status] (7): Status of server 'ipaserver22.realm.net
<http://ipaserver22.realm.net/>' is 'name resolved'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_port_status] (7): Port status of port 389 for server ‘ipaserver2.realm.net
<http://ipaserver2.realm.net/>' is 'not working'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_server_status] (7): Status of server 'ipaserver1.realm.net
<http://ipaserver1.realm.net/>' is 'name resolved'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_port_status] (7): Port status of port 389 for server 'ipaserver1.realm.net
<http://ipaserver1.realm.net/>' is 'not working'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_server_status] (7): Status of server 'ipaserver21.realm.net
<http://ipaserver21.realm.net/>' is 'name resolved'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_port_status] (7): Port status of port 389 for server
'ipaserver21.realm.net <http://ipaserver21.realm.net/>' is 'not working'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_server_status] (7): Status of server 'ipaserver1.realm.net
<http://ipaserver1.realm.net/>' is 'name resolved'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[get_port_status] (7): Port status of port 0 for server 'ipaserver1.realm.net
<http://ipaserver1.realm.net/>' is 'not working'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[fo_resolve_service_send] (1): No available servers for service 'IPA'
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[be_resolve_server_done] (7): Server resolution failed: 5
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[sdap_id_op_connect_done] (1): Failed to connect, going offline (5
[Input/output error])
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[be_run_offline_cb] (3): Going offline. Running callbacks.
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[acctinfo_callback] (4): Request processed. Returned 1,11,Offline
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[child_sig_handler] (7): Waiting for child [13376].
(Mon Nov 6 16:18:24 2017) [sssd[be[realm.net <http://realm.net/>]]]
[child_sig_handler] (4): child [13376] finished successfully.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org