On Fri, 29 May 2015, Christopher Lamb wrote:
Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace
the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
across the users.
We have 50 odd Servers that are FreeIPA clients. Today I started migrating
these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
server by doing an ipa-client-install --uninstall from the old, and
ipa-client-install to register with the new 4.1.0 server.
Most of the FreeIPA clients are running OEL 6.5, and for these the
migration process above worked perfectly. After migrating the server, I
could ssh in with my FreeIPA user.
Then I migrated an OEL 7.1 server. The migration itself seemed to work, and
getent passwd was successful for my FreeIPA user. However when I try and
ssh in, my FreeIPA user / password is not accepted.
Before the migration I could ssh into the problem server (though evidently
it was using my FreeIPA user from the old FreeIPA server).
I can ssh in with a local (non ldap) user, so ssh is running and working.
From user root I can successfully su to my FreeIPA user.
Further investigation showed that version of ipa-client installed was
3.3.3, so I yum updated this to 4.1.0.
However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The
same user continues to work for the 6.5 boxes.
A colleague tried to ssh in with his FreeIPA user, and was also rejected,
so the problem is not my user, but is probably for all FreeIPA users.
A failed ssh login attempt causes the following error in /var/log/messages
[sssd[krb5_child]]: Decrypt integrity check failed
It means /etc/krb5.keytab contains keys from older system and SSSD
picks them up.
Can you show output of 'klist -kKet'?
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project