Thank you, this pointed me to a new direction.

So here was the problem (but I still don't know what caused it):
In the logs, I found that, when starting, sssd would try to kinit -kt /etc/krb5.keytab host/
And that would throw:
kinit: Program lacks support for encryption type while getting initial credentials

So I ran klist -ke on each node (the one properly working, and the failing one) and both showed the same encryption types:

I began to think the issue was not about the encryption type, but a corrupted krb5.keytab. So I generated a new one using:
ipa-join -h -s

That gave me a new krb5.keytab, but kinit on it gave me:
kinit: Password incorrect while getting initial credentials

I didn't know what to do at this point and frustration was too big, so I just un-enroll and re-enrolled th host, and everything worked.

Really frustrating not to know what the problem was...
Let's consider the problem is solved, but if anybody has an idea of what was going around...



*Michaël Van de Borne*
Free Bird Computing SPRL - Gérant
104 rue d'Azebois, 6230 Thiméon
*Tel:* +32(0)472 695716
*Skype:* mikemowgli
*TVA:* BE0637.834.386
Linkedin profile <>

Le 22-03-17 à 17:51, Jakub Hrozek a écrit :
On Wed, Mar 22, 2017 at 05:30:34PM +0100, Michaël Van de Borne wrote:
Hi all,

So I have 2 Centos7 hosts, with same sssd and nsswitch configs.
One does find the users in IPA, and the other doesn't.
Looks like the Data Provider is offline.
I sent the SIGUSR2 signal to sssd which is supposed to bring him online.
Didn't help.
The hosts can resolve the IPA server hostname. SElinux is enforced. Iptables
is disabled.

here's my sssd.conf

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain =
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname =
chpass_provider = ipa
ipa_server = _srv_,
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 7
services = nss, sudo, pam, ssh
domains =
homedir_substring = /home
debug_level = 7

here's the log of sssd_nss.log

(Wed Mar 22 16:27:22 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17][SSS_NSS_GETPWNAM] with input [vdbornem].
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'vdbornem' matched without domain, user is vdbornem
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [vdbornem] from [<ALL>]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for []
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for []
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request []
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data
Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040):
Unable to get information from Data Provider
Error: 3, 5, Failed to get reply from Data Provider
Will try to return what we have in cache
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: []
(Wed Mar 22 16:27:22 2017) [sssd[nss]] [client_recv] (0x0200): Client
Restart sssd, which starts from a clean slate, then look for the first
occurence of "Going offline" or "Not working" in the logs, then check
which operation triggered that..

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to