Hello the list,

 

It looks like sssd's horrible logging messages were to blame. It looks like
when the keytab was initially deployed the system time between the IPA
server and the host were not quite in sync and the keytab was invalidated. I
redeployed the host's keytab (which because SLES lacks the ipa-client tools,
had to be done on the IPA server and delivered via SCP) and the problem was
resolved.

 

Regards,

 

Aaron

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Monday, 4 December 2017 2:51 PM
To: 'Aaron Hicks via FreeIPA-users' <freeipa-users@lists.fedorahosted.org>
Subject: Unable to create GSSAPI-encrypted LDAP connection

 

Hello the list,

 

I've seen this issue on the list several times, but I've not yet seen a
solution posted., We're having this issue on one of our SLES 12 SP2 hosts
(we have other SLES hosts are fine), were seeing this error when users try
and login, they just keep getting the Password: prompt and are unable to log
in with FreeIPA accounts. Local accounts are fine. Hostnames have been
changed to protect the innocent.

 

In this hosts /var/log/sssd/ldap_child.log

<27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
Preauthentication failed

<27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
Preauthentication failed

 

On the FreeIPA server from /var/log/krb5kdc.log

 

17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org>  for
krbtgt/example....@example.org <mailto:krbtgt/example....@example.org> ,
Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org>  for
krbtgt/example....@example.org <mailto:krbtgt/example....@example.org> ,
Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org>  for
krbtgt/example....@example.org <mailto:krbtgt/example....@example.org> ,
Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org>  for
krbtgt/example....@example.org <mailto:krbtgt/example....@example.org> ,
Preauthentication failed

 

On the host in question klist gives the following (note that kinit works,
even if ssh login does not):

 

sles01:~ # klist -kte

Keytab name: FILE:/etc/krb5.keytab

KVNO Timestamp         Principal

---- -----------------
--------------------------------------------------------

   1 12/01/17 04:30:40 host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org>  (aes256-cts-hmac-sha1-96)

   1 12/01/17 04:30:40 host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org>  (aes128-cts-hmac-sha1-96)

sles01:~ # kinit admin

Password for ad...@example.org <mailto:ad...@example.org> :

kinit: Preauthentication failed while getting initial credentials

sles01:~ # kinit admin

Password for ad...@example.org <mailto:ad...@example.org> :

sles01:~ # kvno host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org> 

host/sles01.example....@example.org
<mailto:host/sles01.example....@example.org> : kvno = 3

 

Also, I've compared NTP and there's only ~2.5ms offset between the two
hosts.

 

Increasing the logging level of sssd to debug_level=9 which does not
generate more logs.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to