On Mon, 2012-04-30 at 14:51 -0700, David Copperfield wrote: > > Hi folks, > > During migration existing Kerberos/LDAP setup clients to IPA, after > 'ipa-client-install' command is run and reports successful migration, > we found that the client fails to talk with IPA server. > > The symptom is: in the /var/log/messages file at IPA client side, we > can see the following entries: > > Apr 30 11:07:04 ldapclient02 sssd: Starting up > Apr 30 11:07:05 ldapclient02 sssd[be[pegaclouds.com]]: > Starting up > Apr 30 11:07:06 ldapclient02 sssd[pam]: Starting up > Apr 30 11:07:06 ldapclient02 sssd[nss]: Starting up > Apr 30 11:07:06 ldapclient02 [sssd[ldap_child[2133]]]: Failed > to initialize credentials using keytab [(null)]: Decrypt integrity > check failed. Unable to create GSSAPI-encrypted LDAP connection. > > It is figured out that, instead of backup and > overwrite /etc/krb5.keytab, ipa-client-install only appends the new > generated host keytab entries to the same file /etc/krb5.keytab. Then > when the original entries have a higher KVNO version than the newly > generated siblings, the latter is shadowed and ignored. > > > After manual removing the old entries from /etc/krb5.keytab with the > tool ktutil (rkt, delent, wkt), the client immdiately connects to IPA > server and problem goes away. It will be greatly appreciated if native > ipa-rmkeytab can be extended to do the same job. >
Actually, this was a bug in SSSD that has now been fixed in the RHEL 6.3 beta. It's related to https://bugzilla.redhat.com/show_bug.cgi?id=805281 Please give that a try and see if it resolves your issue.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
