[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Tue, 15 Nov 2016 18:30:33 -0800 


Hello,


   I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.


RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64

RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64


The RHEL 7 client shows this in messages

Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.

I am also not seeing host certs for them on the ipa server but I do see
them on the local box.

[root@server1 pam.d]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    1 host/server1.ipa.local@IPA.LOCAL
   2    1 host/server1.ipa.local@IPA.LOCAL
   3    1 host/server1.ipa.local@IPA.LOCAL
   4    1 host/server1.ipa.local@IPA.LOCAL
ktutil:


I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though)  and I compared and IPA ID login with a box not
working
Work
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed'

vs

Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'

Its almost as if the pam files are not being read?



Sean Hogan







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to