Robert Kudyba wrote: > > > On Thu, Mar 11, 2021 at 2:31 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Robert Kudyba via FreeIPA-users wrote: > I believe we've made some progress but not quite there yet. Just to > recap, any NEW user created via CLI or GUI can connect via ssh. All > imported NIS users can only log in with their NIS password. I change > the user's password in the UI and check the Password checkbox in > User authentication type and click Save. I successfully added a > client: ipa host-add-managedby --hosts=ourdomain.edu > <http://ourdomain.edu> client.ourdomain.edu > <http://client.ourdomain.edu/>Host name: client.ourdomain.edu > <http://client.ourdomain.edu/>Platform: x86_64 Operating system: > 5.10.9-201.fc33.x86_64 Principal name: host/client.ourdomain.edu > <http://client.ourdomain.edu>(a)OURDOMAIN.EDU <http://OURDOMAIN.EDU> > Principal alias: host/client.ourdomain.edu > <http://client.ourdomain.edu>(a)OURDOMAIN.EDU <http://OURDOMAIN.EDU> > Managed by: client.ourdomain.edu <http://client.ourdomain.edu/>, > ourdomain.edu <http://ourdomain.edu/>------------------------- > Number of members added 1 ------------------------- [root@ourdomain > ~]# ipa-getkeytab -s ourdomain.edu <http://ourdomain.edu/>-p host/ > client.ourdomain.edu <http://client.ourdomain.edu/>-k > /tmp/client.keytab > > Keytab successfully retrieved and stored in: /tmp/client.keytab > > This is why SSSD isn't working. SSSD uses the host keytab in > /etc/krb5.keytab and you invalidated it with the above command. > > > OK what do I need to do to fix this? I got this > from > https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > (which I realize is old),
Please do not use these documents. We'd remove them if it were in our control. You can re-run your getkeytab command using /etc/krb5.keytab instead to sync up the keys. > > Based on this SF discussion > > > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__serverfault.com_questions_609086_freeipa-2Dcommand-2Dline-2Dtools-2Ddo-2Dnot-2Dwork-2Dno-2Dkerberos-2Dcredentials-2Davailable&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=0bz4qE4zqmbW11Rk7h8PTgnoBihH-_JyksGK2nNOEVk&s=0ErLwhzlJCc-b2Uthn_hCdS5BkSjf-qOMvso8C-PDrg&e= > >, > > I changed: in /etc/krb5.conf > > default_ccache_name = FILE:/tmp/krb5cc_%{uid} > > I don't think this is necessary. > > > OK Thanks for letting me know. > > Are these SSH logs helpful: > > NEEDED_PREAUTH: host/client. ourdomain.edu > <http://ourdomain.edu/>.edu(a)OURDOMAIN.EDU <http://OURDOMAIN.EDU> for > krbtgt/OURDOMAIN.EDU <http://ourdomain.edu/>@ OURDOMAIN.EDU > <http://ourdomain.edu/>, Additional pre-authentication required Mar 11 > 13:38:28 ourdomain.edu <http://ourdomain.edu/>krb5kdc[369141](info): > closing down fd 11 Mar 11 13:38:28 ourdomain.edu > <http://ourdomain.edu/>krb5kdc[369144](info): preauth (spake) verify > failure: Preauthentication failed > > Does this have to do with your comment above about SSSD not working? Yes. A keytab is a password and this is effectively a "bad password" error. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
