Sorry.. listing ouput of klist -e and klist -ke...  but kinit -k does not
seem to be working if I have it right.. kinit -kt is more promising but
still fails


Klists

[root@server1 read]# klist -e
Ticket cache: KEYRING:persistent:111111111:11111111111
Default principal: admin@ipa.local

Valid starting       Expires              Service principal
11/16/2016 10:44:02  11/17/2016 10:43:54  krbtgt/ipa.local@IPA.LOCAL
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96


[root@server1 read]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96)
   1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96)
   1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1)
   1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac)



Kinits

[root@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local
Extra arguments (starting with "host/server1.ipa.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
        [-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C]
        [-E]
        [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
        [-S service_name] [-T ticket_armor_cache]
        [-X <attribute>[=<value>]] [principal]

    options:    -V verbose
        -l lifetime
        -s start time
        -r renewable lifetime
        -f forwardable
        -F not forwardable
        -p proxiable
        -P not proxiable
        -n anonymous
        -a include addresses
        -A do not include addresses
        -v validate
        -R renew
        -C canonicalize
        -E client is enterprise principal name
        -k use keytab
        -i use default client keytab (with -k)
        -t filename of keytab to use
        -c Kerberos 5 cache name
        -S service
        -T armor credential cache
        -X <attribute>[=<value>]

[root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting initial
credentials
[root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
kinit: Program lacks support for encryption type while getting initial
credentials


Sean Hogan










From:   Martin Babinsky <mbabi...@redhat.com>
To:     Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhro...@redhat.com>
Cc:     freeipa-users@redhat.com
Date:   11/16/2016 09:33 AM
Subject:        Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server



On 11/16/2016 05:14 PM, Sean Hogan wrote:
> Hi Jakub,
>
> Thanks... here is output
>
>
> *klist -ke*
> [root@server1 rusers]# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
> 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96)
> 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96)
> 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1)
> 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac)
>
>
>
> *kinit -k odd though as kinit -k seems to fail but kinit with admin
> seems to work indicating I can hit the KDC even though kinit -k says I
> cannot?*
>
> [root@server1 pam.d]# kinit -k server1
> kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while
> getting initial credentials
> [root@server1 pam.d]# kinit -k server1.IPA.LOCAL
> kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL
> while getting initial credentials
You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local

> [root@server1 pam.d]# kinit admin
> Password for admin@ipa.local:
> [root@server1 pam.d]#
> [root@server1 pam.d]# klist
> Ticket cache: KEYRING:persistent:1111111111:1111111111
> Default principal: admin@IPA.LOCAL
>
> Valid starting Expires Service principal
> 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/IPA.LOCAL@IPA.LOCAL
>
> [root@server1 pam.d]# ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 host/server1.ipa.local@IPA.LOCAL
> 2 1 host/server1.ipa.local@IPA.LOCAL
> 3 1 host/server1.ipa.local@IPA.LOCAL
> 4 1 host/server1.ipa.local@IPA.LOCAL
>
>
>
> *Added debug_level = 10 on the domain section of sssd.conf and restarted
> is all I see*
> [root@server1 sssd]# cat ldap_child.log
> (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
> lacks support for encryption type
> (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
> lacks support for encryption type
> (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
> lacks support for encryption type
> (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
> lacks support for encryption type
> (Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
> lacks support for encryption type
> (Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
> lacks support for encryption type
>
>
>
>
> *Additonal:*
>
> [root@server1 rusers]# systemctl -l status sssd.service
> sssd.service - System Security Services Daemon
> Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
> Drop-In: /etc/systemd/system/sssd.service.d
> └─journal.conf
> Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
> Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
> Main PID: 3042 (sssd)
> CGroup: /system.slice/sssd.service
> ├─3042 /usr/sbin/sssd -D -f
> ├─3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
> --debug-to-files
> ├─3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
> ├─3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
> ├─3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
> ├─3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
> └─3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
>
> Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
> Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
> Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
> Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
> Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
> Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
> Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
> Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
> Services Daemon.
> Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
> to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
> connection.
> [root@server1 rusers]#
>
> Seeing this in /var/log/sssd/sssd_ipa.local.log
>
> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
> (0x0010): fatal error initializing data providers
> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
> not initialize backend [14]
> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
> [select_principal_from_keytab] (0x0010): Failed to read keytab
> [default]: Bad address
> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
> (0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
>
> This is also strange but might be side effect I assume.. we mount NFS v4
> home dir with automount for central homes and profiles.. on the boxes
> having this issue some of the IDs show just the UID numbers/GID numebrs
> where some of the IDs actually show the UID name/GID name. We have over
> 2k servers showing the UID name/GID name with no issues.. just the boxes
> having this issue.
>
>
>
> Sean Hogan
>
>
>
>
>
>
> Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On
> Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek
> ---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700,
> Sean Hogan wrote: >
>
> From: Jakub Hrozek <jhro...@redhat.com>
> To: freeipa-users@redhat.com
> Date: 11/16/2016 02:29 AM
> Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
> Sent by: freeipa-users-boun...@redhat.com
>
> ------------------------------------------------------------------------
>
>
>
> On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote:
>>
>>
>> Hello,
>>
>>
>>    I am starting to see some issues with a few RHEL7 boxes I have been
>> enrolling to my RHEL 6 IPA server regarding encryption.
>>
>>
>> RHEL 7 client
>> Red Hat Enterprise Linux Server release 7.1 (Maipo)
>> sssd-ipa-1.12.2-58.el7_1.18.x86_64
>> ipa-client-4.1.0-18.el7_1.4.x86_64
>>
>> RHEL 6 Server
>> Red Hat Enterprise Linux Server release 6.8 (Santiago)
>> sssd-ipa-1.13.3-22.el6_8.4.x86_64
>> ipa-server-3.0.0-50.el6.1.x86_64
>>
>>
>> The RHEL 7 client shows this in messages
>>
>> Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
>> for encryption type
>
> Could you post a more verbose ldap_child log (debug_level=10 includes
> KRB5_TRACE-level messages) so that we see what kind of crypto was used?
>
>> Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
> check
>> failed. Unable to create GSSAPI-encrypted LDAP connection.
>>
>> I am also not seeing host certs for them on the ipa server but I do see
>> them on the local box.
>>
>> [root@server1 pam.d]# ktutil
>
> Can you run klist -ke as well to see what encryption types are included
> in the keytab?
>
> Is it possible to run "kinit -k" on the client?
>
>> ktutil:  rkt /etc/krb5.keytab
>> ktutil:  l
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>>    1    1 host/server1.ipa.local@IPA.LOCAL
>>    2    1 host/server1.ipa.local@IPA.LOCAL
>>    3    1 host/server1.ipa.local@IPA.LOCAL
>>    4    1 host/server1.ipa.local@IPA.LOCAL
>> ktutil:
>>
>>
>> I have one RHEL 7 box with no issues as it was just enrolled (missing
host
>> certs in IPA though)  and I compared and IPA ID login with a box not
>> working
>> *NOT Work*
>> type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
>> auid=4294967295 ses=4294967295
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> msg='op=PAM:authentication grantors=? acct="janedoe"
exe="/usr/sbin/sshd"
>> hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
>>
>> vs
>>
>> Works
>> type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
>> auid=4294967295 ses=4294967295
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
>> msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
>> exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
>> res=success'
>>
>> Its almost as if the pam files are not being read?
>>
>>
>>
>> Sean Hogan
>>
>>
>>
>>
>>
>>
>
>
>
>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
>
>


--
Martin^3 Babinsky



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to