Good, thanks for confirmation. I filed Bugzilla to add this information to the IPA guide:
https://bugzilla.redhat.com/show_bug.cgi?id=1224682 Please feel free to add any useful information you would like to see in the guide to the Bugzilla comment. Thank you, Martin On 05/25/2015 11:00 AM, Bob Hinton wrote: > Hi Martin, > > Yes. This fixes the problem on a newly recreated ipamaster - it didn't > work on the one I'd been playing around with. > > So the complete rebuild sequence was... > > 1) On old ipamaster VM ipa004 (did this on 22/05/2015) > login as an admin user with sudo to root access > sudo -i > ipa-backup > tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup > scp ipa004_backups_22052015.tgz to a backup system, destroy old > ipamaster VM > > 2) Recreate ipamaster VM (identical configuration to original) > From backup system - > scp ipa004_backups_22052015.tgz admin@ipa004: > ssh admin@ipa004 > su (enter root password - no users with sudo > access exist yet) > tar xvfPz ipa004_backups_22052015.tgz > ipa-restore ipa-full-2015-05-22-17-28-01 > systemctl stop sssd > rm -f /var/lib/sss/db/* > systemctl start sssd > > Many thanks > > Bob > > On 25/05/2015 07:10, Martin Kosek wrote: >> On 05/23/2015 01:51 PM, Bob Hinton wrote: >>> Hello, >>> >>> I've been trying to rebuild an ipamaster by using ipa-backup, destroying >>> and recreating the ipamaster VM then using ipa-restore on the rebuilt >>> master. >>> >>> Most functions of the newly built master work. Logging-in via ssh with >>> keys works but using passwords produces "Permission denied, please try >>> again". >>> >>> Password attempts are logged with Authentication Failure in /var/log/secure >>> >>> May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser >>> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser >>> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user >>> auser: 7 (Authentication failure) >>> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser >>> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user >>> auser: 7 (Authentication failure) >>> May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure; >>> logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser >>> May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 >>> user=adminuser >>> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 >>> user=adminuser >>> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user >>> adminuser: 7 (Authentication failure) >>> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 >>> user=adminuser >>> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user >>> adminuser: 7 (Authentication failure) >>> >>> I have two test users "adminuser" and "auser". I've tried various things >>> with auser involving kadmin.local to attempt to change the kerberos >>> password and "ipa user-mod auser --principal-expiration=2012-01-01Z" to >>> try and force the user keytab to be invalid in the hope that it would be >>> recreated, but this hasn't had any impact apart from slightly different >>> errors in /var/log/krb5kdc.log (see below). >>> >>> I've also tried replacing the keytab by using " ipa-getkeytab -p >>> host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s >>> localhost" to create a new one and then copy it over /etc/krb5.keytab, >>> but this also didn't have any impact. >>> >>> Can anyone tell me what I need to do to make ssh password authentication >>> work on an newly created ipamaster with ipa populated via ipa-restore ? >>> >>> The VM is RHEL7.1 with the following versions of ipa-server and >>> ipa-client installed. >>> >>> Many thanks >>> >>> Bob >>> >>> Name : ipa-server >>> Arch : x86_64 >>> Version : 4.1.0 >>> Release : 18.el7_1.3 >>> Size : 4.2 M >>> Repo : installed >>> >From repo : rhel-7-server-rpms >>> Summary : The IPA authentication server >>> URL : http://www.freeipa.org/ >>> Licence : GPLv3+ >>> Description : IPA is an integrated solution to provide centrally managed >>> Identity (machine, >>> : user, virtual machines, groups, authentication >>> credentials), Policy >>> : (configuration settings, access control information) and >>> Audit (events, >>> : logs, analysis thereof). If you are installing an IPA >>> server you need >>> : to install this package (in other words, most people >>> should NOT install >>> : this package). >>> >>> Name : ipa-client >>> Arch : x86_64 >>> Version : 4.1.0 >>> Release : 18.el7_1.3 >>> Size : 440 k >>> Repo : installed >>> >From repo : rhel-7-server-rpms >>> Summary : IPA authentication for use on clients >>> URL : http://www.freeipa.org/ >>> Licence : GPLv3+ >>> Description : IPA is an integrated solution to provide centrally managed >>> Identity (machine, >>> : user, virtual machines, groups, authentication >>> credentials), Policy >>> : (configuration settings, access control information) and >>> Audit (events, >>> : logs, analysis thereof). If your network uses IPA for >>> authentication, >>> : this package should be installed on every client machine. >>> >>> >>> >>> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: >>> <unknown client> for <unknown server>, Decrypt integrity check failed >>> while handling ap-request armor >>> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: >>> host/ipa004.test.jackland...@test.jackland.uk for >>> krbtgt/test.jackland...@test.jackland.uk, Additional pre-authentication >>> required >>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419, >>> etypes {rep=18 tkt=18 ses=18}, >>> host/ipa004.test.jackland...@test.jackland.uk for >>> krbtgt/test.jackland...@test.jackland.uk >>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419, >>> etypes {rep=18 tkt=18 ses=18}, >>> host/ipa004.test.jackland...@test.jackland.uk for >>> ldap/ipa004.test.jackland...@test.jackland.uk >>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432377170, >>> etypes {rep=18 tkt=18 ses=18}, ad...@test.jackland.uk for >>> ldap/ipa004.test.jackland...@test.jackland.uk >>> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED: >>> au...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk, >>> Password has expired >>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: >>> au...@test.jackland.uk for kadmin/chang...@test.jackland.uk, Additional >>> pre-authentication required >>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: >>> <unknown client> for <unknown server>, Decrypt integrity check failed >>> while handling ap-request armor >>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED: >>> au...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk, >>> Password has expired >>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: >>> au...@test.jackland.uk for kadmin/chang...@test.jackland.uk, Additional >>> pre-authentication required >>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: >>> <unknown client> for <unknown server>, Decrypt integrity check failed >>> while handling ap-request armor >>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: >>> adminu...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk, >>> Additional pre-authentication required >>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: >>> <unknown client> for <unknown server>, Decrypt integrity check failed >>> while handling ap-request armor >>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: >>> adminu...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk, >>> Additional pre-authentication required >>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: >>> <unknown client> for <unknown server>, Decrypt integrity check failed >>> while handling ap-request armor >>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing >>> down fd 11 >>> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6 >>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432378168, >>> etypes {rep=18 tkt=18 ses=18}, >>> HTTP/ipa004.test.jackland...@test.jackland.uk for >>> ldap/ipa004.test.jackland...@test.jackland.uk >>> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): ... >>> CONSTRAINED-DELEGATION s4u-client=ad...@test.jackland.uk >>> >> >> This log strange: >> >>> <unknown client> for <unknown server>, Decrypt integrity check failed >>> while handling ap-request armor >> I assume SSSD's attempts generate this log. Would stopping SSSD, cleaning >> it's >> caches (including fast ccache) in /var/lib/sss/db/ and starting again help? >> . >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project