Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: Hi, Log, The error is "Host is already joined" so no keytab is requested. The enrollment failed. ipa-client-install --uninstall should unenroll the client (you can verify that Keytab is False in ipa host-show on the IPA server. If so running ipa-client-install on the client should configure things properly. rob 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': True, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} 2011-03-04 15:08:58,726 DEBUG missing options might be asked for interactively later 2011-03-04 15:08:58,726 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)] 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb] 2011-03-04 15:08:58,729 DEBUG [ipacheckldap] 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget -O /tmp/tmp7MhOze/ca.crt http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt 2011-03-04 15:08:58,736 DEBUG stdout= 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58-- http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1321 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmp7MhOze/ca.crt' 0K . 100% 237M=0s 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved [1321/1321] 2011-03-04 15:08:58,736 DEBUG Init ldap with: ldap://fed14-64-ipam001.ipa.ac.nz:389 2011-03-04 15:08:58,749 DEBUG Search rootdse 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in dc=ipa,dc=ac,dc=nz(base) 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})] 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer) in dc=ipa,dc=ac,dc=nz(sub) 2011-03-04 15:08:58,753 DEBUG Found: [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees': ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz 2011-03-04 15:08:58,753 DEBUG will use server: fed14-64-ipam001.ipa.ac.nz 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz 2011-03-04 15:09:04,645 DEBUG will use principal: admin 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt 2011-03-04 15:09:04,659 DEBUG stdout= 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04-- http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1321 (1.3K) [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K . 100% 249M=0s 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321] 2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz 2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz: 2011-03-04 15:09:11,665 DEBUG stderr= 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s fed14-64-ipam001.ipa.ac.nz 2011-03-04 15:09:13,931 DEBUG stdout= 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined. 2011-03-04 15:09:13,937 DEBUG args=kdestroy 2011-03-04 15:09:13,937 DEBUG stdout= 2011-03-04 15:09:13,937 DEBUG stderr= 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2011-03-04 15:09:13,938 DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2011-03-04 15:09:13,938 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, I have just done another F14 client and I have the same issue. regards regards On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: > On Tue, 8 Mar 2011 19:05:45 -0500 (EST) > Stephen Gallagher wrote: > > > > > > > On Mar 8, 2011, at 5:45 PM, Steven Jones > > wrote: > > > > > Keytab name: WRFILE:/etc/krb5.keytab > > > KVNO Principal > > > > > > -- > > > > > > 8><- > > >> > > >> > > >> > > >> > > > > Looks like you have no host key in the keytab. That's the root of the > > problem. Seems like IPA-client-install failed to populate it. Rob, do > > you have any insight here? > > does /var/log/ipaclient-install.log show any error ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, Log, 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': True, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} 2011-03-04 15:08:58,726 DEBUG missing options might be asked for interactively later 2011-03-04 15:08:58,726 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)] 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb] 2011-03-04 15:08:58,729 DEBUG [ipacheckldap] 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget -O /tmp/tmp7MhOze/ca.crt http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt 2011-03-04 15:08:58,736 DEBUG stdout= 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58-- http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1321 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmp7MhOze/ca.crt' 0K . 100% 237M=0s 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved [1321/1321] 2011-03-04 15:08:58,736 DEBUG Init ldap with: ldap://fed14-64-ipam001.ipa.ac.nz:389 2011-03-04 15:08:58,749 DEBUG Search rootdse 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in dc=ipa,dc=ac,dc=nz(base) 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})] 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer) in dc=ipa,dc=ac,dc=nz(sub) 2011-03-04 15:08:58,753 DEBUG Found: [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees': ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz 2011-03-04 15:08:58,753 DEBUG will use server: fed14-64-ipam001.ipa.ac.nz 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz 2011-03-04 15:09:04,645 DEBUG will use principal: admin 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt 2011-03-04 15:09:04,659 DEBUG stdout= 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04-- http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1321 (1.3K) [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K . 100% 249M=0s 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321] 2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz 2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz: 2011-03-04 15:09:11,665 DEBUG stderr= 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s fed14-64-ipam001.ipa.ac.nz 2011-03-04 15:09:13,931 DEBUG stdout= 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined. 2011-03-04 15:09:13,937 DEBUG args=kdestroy 2011-03-04 15:09:13,937 DEBUG stdout= 2011-03-04 15:09:13,937 DEBUG stderr= 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2011-03-04 15:09:13,938 DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2011-03-04 15:09:13,938 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2011-03-04 15:09:14,012 DEBUG stdout= 2011-03-04 15:09:14,012 DEBUG stderr= 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file '/etc/krb5.conf' 2011-03-04 15:09:14,013 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:14,1
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Tue, 8 Mar 2011 19:05:45 -0500 (EST) Stephen Gallagher wrote: > > > On Mar 8, 2011, at 5:45 PM, Steven Jones > wrote: > > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Principal > > > > -- > > > > 8><- > >> > >> > >> > >> > > Looks like you have no host key in the keytab. That's the root of the > problem. Seems like IPA-client-install failed to populate it. Rob, do > you have any insight here? does /var/log/ipaclient-install.log show any error ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Mar 8, 2011, at 5:45 PM, Steven Jones wrote: > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > > -- > > 8><- >> >> >> >> Looks like you have no host key in the keytab. That's the root of the problem. Seems like IPA-client-install failed to populate it. Rob, do you have any insight here? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 8><- > > Well, here's your problem. The SSSD isn't starting up successfully > because you don't have a host principal for this server in your > /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. > > What does > klist -k /etc/krb5.keytab > return to you? > > - -- > Stephen Gallagher > RHCE 804006346421761 > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2011 04:40 PM, Steven Jones wrote: > On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: >> Steven Jones wrote: >>> 8><-- >>> >>> >>> So how do I fault find? where do I start? >>> >>> ie Where do I start to look to determine why a user cannot login to a >>> client via freeipa? >>> >>> How can I be more clear? because so far the replies have been not very >>> productive. >>> >>> regards >>> >>> >> >> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart >> sssd, and try your login again. Look >> in/var/log/sssd/sssd_example.com.log for information on the login attempt. >> >> Your uid/gid will likely differ. >> >> # getent passwd admin >> admin:*:26420:26420:Administrator:/home/admin:/bin/bash >> # id admin >> uid=26420(admin) gid=26420(admins) groups=26420(admins) >> # getent group admins >> admins:*:26420:admin >> # finger admin >> Login: adminName: Administrator >> Directory: /home/admin Shell: /bin/bash >> Never logged in. >> No mail. >> No Plan. > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab > [default] > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > Could not verify keytab > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): > fatal error initializing data providers > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > initialize backend [14] > (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab > [default] Well, here's your problem. The SSSD isn't starting up successfully because you don't have a host principal for this server in your /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. What does klist -k /etc/krb5.keytab return to you? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70 HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai =R7BT -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > 8><-- > > > > > > So how do I fault find? where do I start? > > > > ie Where do I start to look to determine why a user cannot login to a > > client via freeipa? > > > > How can I be more clear? because so far the replies have been not very > > productive. > > > > regards > > > > > > Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart > sssd, and try your login again. Look > in/var/log/sssd/sssd_example.com.log for information on the login attempt. > > Your uid/gid will likely differ. > > # getent passwd admin > admin:*:26420:26420:Administrator:/home/admin:/bin/bash > # id admin > uid=26420(admin) gid=26420(admins) groups=26420(admins) > # getent group admins > admins:*:26420:admin > # finger admin > Login: adminName: Administrator > Directory: /home/admin Shell: /bin/bash > Never logged in. > No mail. > No Plan. (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (ss
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: 8><-- So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart sssd, and try your login again. Look in/var/log/sssd/sssd_example.com.log for information on the login attempt. Your uid/gid will likely differ. # getent passwd admin admin:*:26420:26420:Administrator:/home/admin:/bin/bash # id admin uid=26420(admin) gid=26420(admins) groups=26420(admins) # getent group admins admins:*:26420:admin # finger admin Login: adminName: Administrator Directory: /home/admin Shell: /bin/bash Never logged in. No mail. No Plan. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8>< > > Steven, sorry you're having such a hard time with this. Let me see if I > can help point you in the right direction. > > I'm trying to look at the history of this thread, but I'm coming into it > late, so please forgive me if I retread any ground that's already been > covered. > > First, I need to verify that I understand the state from which you're > working. Have you installed FreeIPA from the jdennis.fedorapeople.org > yum repository? [freeipa-devel] name=FreeIPA Development baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch enabled=1 gpgcheck=0 F14 and 64bit. > What version of the RPM packages for freeipa-server, freeipa-client and > sssd do you have? (rpm -q) ">>" 'd output, == sssd-1.5.1-9.fc14.x86_64 freeipa-client-2.0.0.rc2-0.fc14.x86_64 freeipa-server-2.0.0.rc2-0.fc14.x86_64 # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files aliases:files nisplus [sssd] services = nss, pam config_file_version = 2 domains = ipa.ac.nz [nss] [pam] [domain/ipa.ac.nz] cache_credentials = True ipa_domain = ipa.ac.nz id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz [domain/default] cache_credentials = True krb5_realm = IPA.AC.NZ krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88 auth_provider = krb5 chpass_provider = krb5 krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749 debug_level=9 #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2011 02:43 PM, Steven Jones wrote: > 8><-- > > > So how do I fault find? where do I start? > > ie Where do I start to look to determine why a user cannot login to a > client via freeipa? > > How can I be more clear? because so far the replies have been not very > productive. > Steven, sorry you're having such a hard time with this. Let me see if I can help point you in the right direction. I'm trying to look at the history of this thread, but I'm coming into it late, so please forgive me if I retread any ground that's already been covered. First, I need to verify that I understand the state from which you're working. Have you installed FreeIPA from the jdennis.fedorapeople.org yum repository? What version of the RPM packages for freeipa-server, freeipa-client and sssd do you have? (rpm -q) I noticed that you mentioned in an earlier email that you were editing nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA client (any more). We now use SSSD (and ipa-client-install should be setting this up for you). So what I need to see are the following configuration files: 1) /etc/nsswitch.conf 2) /etc/sssd/sssd.conf 3) /etc/pam.d/system-auth 4) /etc/pam.d/password-auth (if using GDM) Also, to start debugging login problems, the best place to look is in /var/log/secure, which should report any PAM modules that are denying access to the account (and the reason why it's being denied). Please provide us with the above information and we'll see what we can do to get you up and running. Also, for much faster triage and debugging, you can join the #freeipa and/or #sssd IRC channels on the irc.freenode.net IRC server and speak with us directly. My nick on those channels is 'sgallagh'. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk12iroACgkQeiVVYja6o6NIQQCfWpxNdMTQyjJ8HojOOeBOIcuS qdsAoIrVUcvY2lgDv9bVFjyWqUjjH9ZU =wJNo -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8><-- So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8><- > > > > getent passwd "user" however only returns one line, not the two I should > > expect? > > Why do you expect two lines? It should only return one, for that user. > > > > > It also returns very fastlike its not even looking remotely. > > Is the user in /etc/passwd too? > When I tried to get FDS going a few years ago getent used to return 2, the local one and the ldap one, hence two linesif it was working. I guess the ipa manual is lacking somewhat in that it says run these commands, but doesnt say what the expected output is or looks like, so how am I meant to know if its right or wrong? like duh. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more Which returns LDAP infothat looks finethe query looks OK getent passwd "user" however only returns one line, not the two I should expect? Why do you expect two lines? It should only return one, for that user. It also returns very fastlike its not even looking remotely. Is the user in /etc/passwd too? I have run authconfig-tui and that looks OK as far as I can tell I have set cli.conf and server.conf but there are no logs any where I can find Ideas please? Also how to get logging going so I have something to look at Logging depends entirely on the context you are in. For nss data (user, group, etc) you'll need to check system logs. If you are using sssd, the default, then you can try adding debug_level = 9 to /etc/sssd/sssd.conf in the ipa provider (domain/example.com) and restart sssd. Watch the logs in /var/log/sssd. Since sssd uses LDAP you can also see the queries it makes on your IPA server in /var/log/dirsrv/slapd-REALM/access. This log is buffered. cli.conf and server.conf are only used by the IPA management framework (the ipa command the webUI). The server-side log is the Apache error log, /var/log/httpd/error_log. So if the question is "why can't user log in" or "why can't I see user " then look in the sssd error logs. If you can't manage users using the ipa command, the Apache error log is the place to look. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users