Hello,
I am starting to see some issues with a few RHEL7 boxes I have been enrolling to my RHEL 6 IPA server regarding encryption. RHEL 7 client Red Hat Enterprise Linux Server release 7.1 (Maipo) sssd-ipa-1.12.2-58.el7_1.18.x86_64 ipa-client-4.1.0-18.el7_1.4.x86_64 RHEL 6 Server Red Hat Enterprise Linux Server release 6.8 (Santiago) sssd-ipa-1.13.3-22.el6_8.4.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 The RHEL 7 client shows this in messages Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support for encryption type Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. I am also not seeing host certs for them on the ipa server but I do see them on the local box. [root@server1 pam.d]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 host/server1.ipa.local@IPA.LOCAL 2 1 host/server1.ipa.local@IPA.LOCAL 3 1 host/server1.ipa.local@IPA.LOCAL 4 1 host/server1.ipa.local@IPA.LOCAL ktutil: I have one RHEL 7 box with no issues as it was just enrolled (missing host certs in IPA though) and I compared and IPA ID login with a box not working Work type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed' vs Works type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe" exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=success' Its almost as if the pam files are not being read? Sean Hogan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project