>
> > > Keytab successfully retrieved and stored in: /tmp/client.keytab
> >
> > This is why SSSD isn't working. SSSD uses the host keytab in
> > /etc/krb5.keytab and you invalidated it with the above command.
> >
> >
> > OK what do I need to do to fix this? I got this
> > from
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_Fedora_18_html_FreeIPA-5FGuide_Installing-5Fthe-5FIPA-5FClient-5Fon-5FLinux.html&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=DPUtTQx5TfzHXpznmDzOwRF-DMQCNuyTEyFZjQRbf24&s=_71xAKn9TgPKxsbm1Ei0b4VaeazS0Ax__ECpurXTUd0&e=
> > (which I realize is old),
>
> Please do not use these documents. We'd remove them if it were in our
> control.
>
Understood.
You can re-run your getkeytab command using /etc/krb5.keytab instead to
> sync up the keys.
>
OK I ran:
ipa-getkeytab -s ourdomain.edu -p host/client.ourdomain.edu -k
/etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Then I scp the keytab to the client /etc directory. Now in the krb5.log I
see:
Mar 11 15:39:29 ourdomain.edu krb5kdc[369141](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 150.108.64.55:
LOOKING_UP_SERVER: authtime 0, etypes {rep=UNSUPPORTED:(0)}
host/client.ourdomain [email protected] for DNS/
[email protected], Server not found in Kerberos
database
Mar 11 15:39:29 ourdomain.edu krb5kdc[369141](info): closing down fd 11
ssh logs:
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: attempt 2 failures 1
[preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: keyboard-interactive devs
[preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 44136 ssh2 [preauth]
Mar 11 15:39:30 ourdomain sshd[375524]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Mar 11 15:39:30 ourdomain sshd[375524]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Mar 11 15:39:30 ourdomain sshd[375524]: pam_sss(sshd:auth): received for
user ouruser: 9 (Authentication service cannot retrieve authentication info)
> > Does this have to do with your comment above about SSSD not working?
>
> Yes. A keytab is a password and this is effectively a "bad password" error.
Do I have to restart any services?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
