On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: > > Hi All > > Bad news. > > Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1 > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh > remote login with FreeIPA user and password). > > Today I tried a second machine, and had the same problem, ssh connections > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check > failed"
This really just means wrong password, can you kinit as that user using the same password? > > Ahh I thought, I have a solution for that: just remove ipa-client and > reinstall via yum, register with the new FreeIPA server .... > > Only with this second machine I still can't ssh in with a FreeIPA user. > Argg..... > > b.t.w, as this machine is a real physical server, I was able to try logging > in direct with my FreeIPA user --> "Authentication Failure" > > I now have > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old > FreeIPA server to the new without a hitch (i.e. they successfully > authenticate FreeIPA users.) > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but > with problems > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to > authenticate with a FreeIPA user > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new > FreeIPA server, and successfully authenticates FreeIPA users. > > Any ideas? > > Chris > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17 > ----- > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Alexander Bokovoy <aboko...@redhat.com>, > freeipa-users@redhat.com > Date: 30.05.2015 18:52 > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on > EL7.1 --> Solved > Sent by: freeipa-users-boun...@redhat.com > > > > Hi All > > It gives me pleasure to report the problem is solved - a minute ago I was > able to login via ssh with my FreeIPA user to the problem server, while > sitting on my terrace with a glass of wine! > > Thanks to Alexander for his helpful advice - we had some mail exchange > outside the user list as I did not wish to broadcast content of keys, > config files etc. > > Regardless of what I did with commands like klist, kvno everything seemed > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help. > > Therefore I decided to opt for brute force and (partial) ignorance. I > completely uninstalled the FreeIPA client, and then reinstalled, configured > - ét voilà I could ssh in! > > This leaves the enigma: what caused the problem? I suspect the following: > > The host is an EL 7.1, but the first FreeIPA client installed was version > 3.3.3 (installed as set of standard packages that we bung on all our > servers). > > This worked fine to authenticate against our "old" 3.x FreeIPA server, but > did not work against the "new" 4.1 FreeIPA Server. > > When I realised I could not ssh in, one of the first things I did was to > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help. > The solution was to yum remove the FreeIPA client, then yum install the 4.1 > client. > > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so > it will be interesting to see it the problem can be reproduced. > > Keep up the good work, > > Chris > > > > > > > > > From: Alexander Bokovoy <aboko...@redhat.com> > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: freeipa-users@redhat.com > Date: 29.05.2015 18:04 > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA > client on > EL7.1 > > > > On Fri, 29 May 2015, Christopher Lamb wrote: > > > >Hi All > > > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated > >across the users. > > > >We have 50 odd Servers that are FreeIPA clients. Today I started migrating > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4 > >server by doing an ipa-client-install --uninstall from the old, and > >ipa-client-install to register with the new 4.1.0 server. > > > >Most of the FreeIPA clients are running OEL 6.5, and for these the > >migration process above worked perfectly. After migrating the server, I > >could ssh in with my FreeIPA user. > > > >Then I migrated an OEL 7.1 server. The migration itself seemed to work, > and > >getent passwd was successful for my FreeIPA user. However when I try and > >ssh in, my FreeIPA user / password is not accepted. > > > >Before the migration I could ssh into the problem server (though evidently > >it was using my FreeIPA user from the old FreeIPA server). > > > >I can ssh in with a local (non ldap) user, so ssh is running and working. > > > >>From user root I can successfully su to my FreeIPA user. > > > >Further investigation showed that version of ipa-client installed was > >3.3.3, so I yum updated this to 4.1.0. > > > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The > >same user continues to work for the 6.5 boxes. > > > >A colleague tried to ssh in with his FreeIPA user, and was also rejected, > >so the problem is not my user, but is probably for all FreeIPA users. > > > >A failed ssh login attempt causes the following error in /var/log/messages > > > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed > It means /etc/krb5.keytab contains keys from older system and SSSD > picks them up. > Can you show output of 'klist -kKet'? > -- > / Alexander Bokovoy > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project