On 05/23/2015 01:51 PM, Bob Hinton wrote:
> Hello,
> 
> I've been trying to rebuild an ipamaster by using ipa-backup, destroying
> and recreating the ipamaster VM then using ipa-restore on the rebuilt
> master.
> 
> Most functions of the newly built master work. Logging-in via ssh with
> keys works but using passwords produces "Permission denied, please try
> again".
> 
> Password attempts are logged with Authentication Failure in /var/log/secure
> 
> May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1  user=auser
> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
> auser: 7 (Authentication failure)
> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
> auser: 7 (Authentication failure)
> May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1  user=auser
> May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 
> user=adminuser
> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
> user=adminuser
> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
> adminuser: 7 (Authentication failure)
> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
> user=adminuser
> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
> adminuser: 7 (Authentication failure)
> 
> I have two test users "adminuser" and "auser". I've tried various things
> with auser involving kadmin.local to attempt to change the kerberos
> password and "ipa user-mod auser --principal-expiration=2012-01-01Z" to
> try and force the user keytab to be invalid in the hope that it would be
> recreated, but this hasn't had any impact apart from slightly different
> errors in /var/log/krb5kdc.log (see below).
> 
> I've also tried replacing the keytab by using " ipa-getkeytab -p
> host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s
> localhost" to create a new one and then copy it over /etc/krb5.keytab,
> but this also didn't have any impact.
> 
> Can anyone tell me what I need to do to make ssh password authentication
> work on an newly created ipamaster with ipa populated via ipa-restore ?
> 
> The VM is RHEL7.1 with the following versions of ipa-server and
> ipa-client installed.
> 
> Many thanks
> 
> Bob
> 
> Name        : ipa-server
> Arch        : x86_64
> Version     : 4.1.0
> Release     : 18.el7_1.3
> Size        : 4.2 M
> Repo        : installed
>>From repo   : rhel-7-server-rpms
> Summary     : The IPA authentication server
> URL         : http://www.freeipa.org/
> Licence     : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> Identity (machine,
>             : user, virtual machines, groups, authentication
> credentials), Policy
>             : (configuration settings, access control information) and
> Audit (events,
>             : logs, analysis thereof). If you are installing an IPA
> server you need
>             : to install this package (in other words, most people
> should NOT install
>             : this package).
> 
> Name        : ipa-client
> Arch        : x86_64
> Version     : 4.1.0
> Release     : 18.el7_1.3
> Size        : 440 k
> Repo        : installed
>>From repo   : rhel-7-server-rpms
> Summary     : IPA authentication for use on clients
> URL         : http://www.freeipa.org/
> Licence     : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> Identity (machine,
>             : user, virtual machines, groups, authentication
> credentials), Policy
>             : (configuration settings, access control information) and
> Audit (events,
>             : logs, analysis thereof). If your network uses IPA for
> authentication,
>             : this package should be installed on every client machine.
> 
> 
> 
> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
> <unknown client> for <unknown server>, Decrypt integrity check failed
> while handling ap-request armor
> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
> host/ipa004.test.jackland...@test.jackland.uk for
> krbtgt/test.jackland...@test.jackland.uk, Additional pre-authentication
> required
> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
> etypes {rep=18 tkt=18 ses=18},
> host/ipa004.test.jackland...@test.jackland.uk for
> krbtgt/test.jackland...@test.jackland.uk
> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
> etypes {rep=18 tkt=18 ses=18},
> host/ipa004.test.jackland...@test.jackland.uk for
> ldap/ipa004.test.jackland...@test.jackland.uk
> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432377170,
> etypes {rep=18 tkt=18 ses=18}, ad...@test.jackland.uk for
> ldap/ipa004.test.jackland...@test.jackland.uk
> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
> au...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk,
> Password has expired
> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
> au...@test.jackland.uk for kadmin/chang...@test.jackland.uk, Additional
> pre-authentication required
> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
> <unknown client> for <unknown server>, Decrypt integrity check failed
> while handling ap-request armor
> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
> au...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk,
> Password has expired
> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
> au...@test.jackland.uk for kadmin/chang...@test.jackland.uk, Additional
> pre-authentication required
> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
> <unknown client> for <unknown server>, Decrypt integrity check failed
> while handling ap-request armor
> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
> adminu...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk,
> Additional pre-authentication required
> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
> <unknown client> for <unknown server>, Decrypt integrity check failed
> while handling ap-request armor
> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
> adminu...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk,
> Additional pre-authentication required
> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
> <unknown client> for <unknown server>, Decrypt integrity check failed
> while handling ap-request armor
> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
> down fd 11
> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432378168,
> etypes {rep=18 tkt=18 ses=18},
> HTTP/ipa004.test.jackland...@test.jackland.uk for
> ldap/ipa004.test.jackland...@test.jackland.uk
> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): ...
> CONSTRAINED-DELEGATION s4u-client=ad...@test.jackland.uk
> 


This log strange:

> <unknown client> for <unknown server>, Decrypt integrity check failed
> while handling ap-request armor

I assume SSSD's attempts generate this log. Would stopping SSSD, cleaning it's
caches (including fast ccache) in /var/lib/sss/db/ and starting again help?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to