On 05/23/2015 01:51 PM, Bob Hinton wrote: > Hello, > > I've been trying to rebuild an ipamaster by using ipa-backup, destroying > and recreating the ipamaster VM then using ipa-restore on the rebuilt > master. > > Most functions of the newly built master work. Logging-in via ssh with > keys works but using passwords produces "Permission denied, please try > again". > > Password attempts are logged with Authentication Failure in /var/log/secure > > May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser > May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser > May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user > auser: 7 (Authentication failure) > May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser > May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user > auser: 7 (Authentication failure) > May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser > May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 > user=adminuser > May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 > user=adminuser > May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user > adminuser: 7 (Authentication failure) > May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 > user=adminuser > May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user > adminuser: 7 (Authentication failure) > > I have two test users "adminuser" and "auser". I've tried various things > with auser involving kadmin.local to attempt to change the kerberos > password and "ipa user-mod auser --principal-expiration=2012-01-01Z" to > try and force the user keytab to be invalid in the hope that it would be > recreated, but this hasn't had any impact apart from slightly different > errors in /var/log/krb5kdc.log (see below). > > I've also tried replacing the keytab by using " ipa-getkeytab -p > host/[email protected] -k temp.keytab -s > localhost" to create a new one and then copy it over /etc/krb5.keytab, > but this also didn't have any impact. > > Can anyone tell me what I need to do to make ssh password authentication > work on an newly created ipamaster with ipa populated via ipa-restore ? > > The VM is RHEL7.1 with the following versions of ipa-server and > ipa-client installed. > > Many thanks > > Bob > > Name : ipa-server > Arch : x86_64 > Version : 4.1.0 > Release : 18.el7_1.3 > Size : 4.2 M > Repo : installed >>From repo : rhel-7-server-rpms > Summary : The IPA authentication server > URL : http://www.freeipa.org/ > Licence : GPLv3+ > Description : IPA is an integrated solution to provide centrally managed > Identity (machine, > : user, virtual machines, groups, authentication > credentials), Policy > : (configuration settings, access control information) and > Audit (events, > : logs, analysis thereof). If you are installing an IPA > server you need > : to install this package (in other words, most people > should NOT install > : this package). > > Name : ipa-client > Arch : x86_64 > Version : 4.1.0 > Release : 18.el7_1.3 > Size : 440 k > Repo : installed >>From repo : rhel-7-server-rpms > Summary : IPA authentication for use on clients > URL : http://www.freeipa.org/ > Licence : GPLv3+ > Description : IPA is an integrated solution to provide centrally managed > Identity (machine, > : user, virtual machines, groups, authentication > credentials), Policy > : (configuration settings, access control information) and > Audit (events, > : logs, analysis thereof). If your network uses IPA for > authentication, > : this package should be installed on every client machine. > > > > May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: > <unknown client> for <unknown server>, Decrypt integrity check failed > while handling ap-request armor > May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: > host/[email protected] for > krbtgt/[email protected], Additional pre-authentication > required > May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419, > etypes {rep=18 tkt=18 ses=18}, > host/[email protected] for > krbtgt/[email protected] > May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419, > etypes {rep=18 tkt=18 ses=18}, > host/[email protected] for > ldap/[email protected] > May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432377170, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > ldap/[email protected] > May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED: > [email protected] for krbtgt/[email protected], > Password has expired > May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: > [email protected] for kadmin/[email protected], Additional > pre-authentication required > May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: > <unknown client> for <unknown server>, Decrypt integrity check failed > while handling ap-request armor > May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED: > [email protected] for krbtgt/[email protected], > Password has expired > May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: > [email protected] for kadmin/[email protected], Additional > pre-authentication required > May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: > <unknown client> for <unknown server>, Decrypt integrity check failed > while handling ap-request armor > May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: > [email protected] for krbtgt/[email protected], > Additional pre-authentication required > May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: > <unknown client> for <unknown server>, Decrypt integrity check failed > while handling ap-request armor > May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: > [email protected] for krbtgt/[email protected], > Additional pre-authentication required > May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: > <unknown client> for <unknown server>, Decrypt integrity check failed > while handling ap-request armor > May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing > down fd 11 > May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6 > etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432378168, > etypes {rep=18 tkt=18 ses=18}, > HTTP/[email protected] for > ldap/[email protected] > May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): ... > CONSTRAINED-DELEGATION [email protected] >
This log strange: > <unknown client> for <unknown server>, Decrypt integrity check failed > while handling ap-request armor I assume SSSD's attempts generate this log. Would stopping SSSD, cleaning it's caches (including fast ccache) in /var/lib/sss/db/ and starting again help? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
