Good Day!

I installed a new IPA server (same name as the old one) on a new
server.  I added a single user for testing.  I have a client that was
previously a client on the old IPA server, i ran ipa-client-install
--uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp,
and rebooted.  I then updated /etc/hosts to point to the new IPA
server, and ran ipa-client-install --no-ntp.  The install went fine.
Now when i try to login to the client using my new test user, it
doesn't work.  I get the below errors.  I am able to login to the new
directory server with my new user, was prompted to change my password,
and was able to log back in just fine.

Any help is appreciated.  Thanks.

Client:
[root@test3-vm ~]# uname -a
Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov
11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@test3-vm ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root@test3-vm ~]# rpm -qa | grep ipa-client
ipa-client-3.0.0-42.el6.centos.x86_64

Server:
[root@dir1 ~]# uname -a
Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@dir1 ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root@dir1 ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64



>From client:
[root@test3-vm sssd]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/23/15 14:27:05 host/test3-vm.mydomain....@mydomain.com
   1 01/23/15 14:27:05 host/test3-vm.mydomain....@mydomain.com
   1 01/23/15 14:27:05 host/test3-vm.mydomain....@mydomain.com
   1 01/23/15 14:27:06 host/test3-vm.mydomain....@mydomain.com
[root@test3-vm sssd]


This works fine:

[root@test3-vm sssd]# kinit tester1
Password for test...@mydomain.com:
[root@test3-vm sssd]#


[root@test3-vm sssd]# tail -200 krb5_child.log
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise
principal [false] offline [false] UPN [test...@mydomain.com]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab:
[/etc/krb5.keytab]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/test3-vm.mydomain....@mydomain.com]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity
check failed]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error]
(0x0020): 1043: [-1765328353][Decrypt integrity check failed]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data]
(0x0200): Received error code 1432158218
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise
principal [false] offline [false] UPN [test...@mydomain.com]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab:
[/etc/krb5.keytab]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/test3-vm.mydomain....@mydomain.com]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity
check failed]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error]
(0x0020): 1043: [-1765328353][Decrypt integrity check failed]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data]
(0x0200): Received error code 1432158218





[root@test3-vm sssd]# cat /etc/sssd/sssd.conf
# Do not edit Managed by Spacewalk
[domain/MYDOMAIN.COM]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = MYDOMAIN.COM
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = test3-vm.MYDOMAIN.COM
chpass_provider = ipa
ipa_server = _srv_, dir1.MYDOMAIN.COM
dns_discovery_domain = MYDOMAIN.COM

sudo_provider = ldap
ldap_uri = ldap://dir1.MYDOMAIN.COM
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM
ldap_sasl_realm = MYDOMAIN.COM
krb5_server = dir1.MYDOMAIN.COM
debug_level = 5

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
debug_level = 5

domains = MYDOMAIN.COM
[nss]

[pam]

[sudo]
debug_level = 5

[autofs]

[ssh]

[pac]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to