> On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote:
>> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
>> 1.11.6-30.  The server is CentOS 7 / IPA 4.1.3
>> When I try to log in using MIT kerberos and a valid ticket it works on
>> one
>> client, and fails on the other.  I have compared the /etc/krb5.conf,
>> /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients
>> and
>> they are identical (other than the hostnames).  I can't seem to find any
>> other difference between the clients.
>> Password authentication works on both machines.
>> Here is the dub log of the failed login machine (sshd)
>> I think the relevant line is the very last one where it postpones the
>> login for some reason
>> Postponed gssapi-with-mic for username from port 15076 ssh2
> This message is in the other log as well and I think this is ok.
> Have you check if the keytab on the host with issue has the latest key
> version?
> To check the call 'klist -k' as root on the server and then call 'kvno
> host/...' with the principal shown in the klist output. Both kvno
> numbers should be the same. If they differ call ipa-getkeytab on the
> server to get a fresh keytab. Please note that you have to call kdestory
> and kinit on the client to remove the old now invalid ticket from the
> client's credential cache.
> bye,
> Sumit

It turns out this was something really basic.

We had multiple DNS entries for this host, and the reverse entry did not
match the DNS name I was connecting to the host with.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to