On Thu, Mar 11, 2021 at 2:31 PM Rob Crittenden <[email protected]> wrote:
> Robert Kudyba via FreeIPA-users wrote: > I believe we've made some progress but not quite there yet. Just to recap, > any NEW user created via CLI or GUI can connect via ssh. All imported NIS > users can only log in with their NIS password. I change the user's password > in the UI and check the Password checkbox in User authentication type and > click Save. I successfully added a client: ipa host-add-managedby --hosts= > ourdomain.edu client.ourdomain.edu Host name: client.ourdomain.edu > Platform: x86_64 Operating system: 5.10.9-201.fc33.x86_64 Principal name: > host/client.ourdomain.edu(a)OURDOMAIN.EDU Principal alias: host/ > client.ourdomain.edu(a)OURDOMAIN.EDU Managed by: client.ourdomain.edu, > ourdomain.edu ------------------------- Number of members added 1 > ------------------------- [root@ourdomain ~]# ipa-getkeytab -s > ourdomain.edu -p host/ client.ourdomain.edu -k /tmp/client.keytab > > Keytab successfully retrieved and stored in: /tmp/client.keytab > > This is why SSSD isn't working. SSSD uses the host keytab in > /etc/krb5.keytab and you invalidated it with the above command. > OK what do I need to do to fix this? I got this from https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html (which I realize is old), > > Based on this SF discussion > > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__serverfault.com_questions_609086_freeipa-2Dcommand-2Dline-2Dtools-2Ddo-2Dnot-2Dwork-2Dno-2Dkerberos-2Dcredentials-2Davailable&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=0bz4qE4zqmbW11Rk7h8PTgnoBihH-_JyksGK2nNOEVk&s=0ErLwhzlJCc-b2Uthn_hCdS5BkSjf-qOMvso8C-PDrg&e= > >, > > I changed: in /etc/krb5.conf > > default_ccache_name = FILE:/tmp/krb5cc_%{uid} > > I don't think this is necessary. > OK Thanks for letting me know. Are these SSH logs helpful: NEEDED_PREAUTH: host/client. ourdomain.edu .edu(a)OURDOMAIN.EDU for krbtgt/ OURDOMAIN.EDU <http://ourdomain.edu/> @ OURDOMAIN.EDU <http://ourdomain.edu/>, Additional pre-authentication required Mar 11 13:38:28 ourdomain.edu krb5kdc[369141](info): closing down fd 11 Mar 11 13:38:28 ourdomain.edu krb5kdc[369144](info): preauth (spake) verify failure: Preauthentication failed Does this have to do with your comment above about SSSD not working?
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
