On 1/9/14 1:27 PM, Simo Sorce wrote:
On Thu, 2014-01-09 at 12:00 -0500, Ryan Chase wrote:

On 1/9/14 11:45 AM, Rob Crittenden wrote:
Ryan Chase wrote:
On 1/9/14 11:15 AM, Jakub Hrozek wrote:
On Thu, Jan 09, 2014 at 10:14:20AM -0500, Ryan Chase wrote:
On 1/8/14 5:25 PM, Jakub Hrozek wrote:
On Wed, Jan 08, 2014 at 03:12:35PM -0500, Ryan Chase wrote:
I've added a new user using the command "ipa user-add" from the ipa
server.  I can see correct user information when I run the commands
"ipa user-show" and "ipa user-status". However, I cannot see the
user when I run "getent passwd username" or even "id username". When
I run "id username" I get, "no such user".
    I feel this may be an issue with sssd, but I'm not 100% sure.
/etc/nsswitch.conf looks correct.
    Any ideas?


IPA server is CentOS 6 running freeipa version 3.0.0

Hi Ryan,

this indeed sounds like an issue with the SSSD.

Given that you said nsswitch.conf looks OK, can you raise debug_level
(let's start with 5 perhaps) in the [nss] and [domain/] sections,
restart the SSSD and inspect the logs in /var/log/sssd/ for any

Is there anything in the syslog? Some errors, like invalid keytab are
logged to the system logs as well as the SSSD debug logs.

Below is a snip from the sssd log with debug_level=5
This was an ssh attempt to the server.

This log snippet is telling us about problems with keytab:

(Thu Jan  9 09:52:45 2014) [sssd[be[csl.local]]] [sdap_kinit_done]
(0x0100): Could not get TGT: 14 [Bad address]

Perhaps /var/log/sssd/ldap_child.log would have more info?

Can you kinit with your keytab (kinit -k or kinit -k host/$(hostname)) ?

Running kinit -k gives the following

kinit: Password incorrect while getting initial credentials

Here is a snip from ldap_child.log
(Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
ldap_child started.
(Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
(Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
(Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
integrity check failed
(Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [prepare_response]
(0x0400): Building response for result [-1765328353]
(Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
ldap_child completed successfully

So the keytab is bad, strange.  You might try this:

# kinit admin
# kvno host/`hostname`
# klist -kt /etc/krb5.keytab

Compare the version number of the service in the keytab vs what kvno
returns. They should be the same. If they are different then that
explains the failure. It would mean though that someone else pulled a
keytab for this host principal so generating a new keytab may break
whatever they did.

If you determine that this is ok you can fetch a new keytab with:

# ipa-getkeytab -s ipa.example.com -p host/`hostname` -k /etc/krb5.keytab

Then restart sssd and things should work.


The version numbers don't match.  How would I fix this?

Using the ipa-getkeytab command mentioned above.


That command worked. I can now authenticate to the server and users appear as they should. I checked the version numbers again with kvno and klist, and they are still different. Does this matter? There are new entries when I run the command kinit -kt, also with a different version number than what kvno displays.

Thank you, everyone for your help. I've been trying to debug this for a while.

Freeipa-users mailing list

Reply via email to