It gives me pleasure to report the problem is solved - a minute ago I was
able to login via ssh with my FreeIPA user to the problem server, while
sitting on my terrace with a glass of wine!
Thanks to Alexander for his helpful advice - we had some mail exchange
outside the user list as I did not wish to broadcast content of keys,
config files etc.
Regardless of what I did with commands like klist, kvno everything seemed
"ok", but I still could not ssh in. Even a ipa-getkeytab did not help.
Therefore I decided to opt for brute force and (partial) ignorance. I
completely uninstalled the FreeIPA client, and then reinstalled, configured
- ét voilà I could ssh in!
This leaves the enigma: what caused the problem? I suspect the following:
The host is an EL 7.1, but the first FreeIPA client installed was version
3.3.3 (installed as set of standard packages that we bung on all our
This worked fine to authenticate against our "old" 3.x FreeIPA server, but
did not work against the "new" 4.1 FreeIPA Server.
When I realised I could not ssh in, one of the first things I did was to
yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help.
The solution was to yum remove the FreeIPA client, then yum install the 4.1
I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so
it will be interesting to see it the problem can be reproduced.
Keep up the good work,
From: Alexander Bokovoy <aboko...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH
Date: 29.05.2015 18:04
Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on
On Fri, 29 May 2015, Christopher Lamb wrote:
>Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace
>the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
>across the users.
>We have 50 odd Servers that are FreeIPA clients. Today I started migrating
>these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
>server by doing an ipa-client-install --uninstall from the old, and
>ipa-client-install to register with the new 4.1.0 server.
>Most of the FreeIPA clients are running OEL 6.5, and for these the
>migration process above worked perfectly. After migrating the server, I
>could ssh in with my FreeIPA user.
>Then I migrated an OEL 7.1 server. The migration itself seemed to work,
>getent passwd was successful for my FreeIPA user. However when I try and
>ssh in, my FreeIPA user / password is not accepted.
>Before the migration I could ssh into the problem server (though evidently
>it was using my FreeIPA user from the old FreeIPA server).
>I can ssh in with a local (non ldap) user, so ssh is running and working.
>>From user root I can successfully su to my FreeIPA user.
>Further investigation showed that version of ipa-client installed was
>3.3.3, so I yum updated this to 4.1.0.
>However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The
>same user continues to work for the 6.5 boxes.
>A colleague tried to ssh in with his FreeIPA user, and was also rejected,
>so the problem is not my user, but is probably for all FreeIPA users.
>A failed ssh login attempt causes the following error in /var/log/messages
>[sssd[krb5_child]]: Decrypt integrity check failed
It means /etc/krb5.keytab contains keys from older system and SSSD
picks them up.
Can you show output of 'klist -kKet'?
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project