Thank you, that worked.
On Fri, Jan 23, 2015 at 6:40 PM, Dmitri Pal <d...@redhat.com> wrote: > On 01/23/2015 03:58 PM, Megan . wrote: >> >> Good Day! >> >> I installed a new IPA server (same name as the old one) on a new >> server. I added a single user for testing. I have a client that was >> previously a client on the old IPA server, i ran ipa-client-install >> --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, >> and rebooted. I then updated /etc/hosts to point to the new IPA >> server, and ran ipa-client-install --no-ntp. The install went fine. >> Now when i try to login to the client using my new test user, it >> doesn't work. I get the below errors. I am able to login to the new >> directory server with my new user, was prompted to change my password, >> and was able to log back in just fine. >> >> Any help is appreciated. Thanks. >> >> Client: >> [root@test3-vm ~]# uname -a >> Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov >> 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> [root@test3-vm ~]# cat /etc/redhat-release >> CentOS release 6.6 (Final) >> [root@test3-vm ~]# rpm -qa | grep ipa-client >> ipa-client-3.0.0-42.el6.centos.x86_64 >> >> Server: >> [root@dir1 ~]# uname -a >> Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 >> 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> [root@dir1 ~]# cat /etc/redhat-release >> CentOS release 6.6 (Final) >> [root@dir1 ~]# rpm -qa | grep ipa-server >> ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >> ipa-server-3.0.0-42.el6.centos.x86_64 >> >> >> >> >From client: >> [root@test3-vm sssd]# klist -kt /etc/krb5.keytab >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 1 01/23/15 14:27:05 host/test3-vm.mydomain....@mydomain.com >> 1 01/23/15 14:27:05 host/test3-vm.mydomain....@mydomain.com >> 1 01/23/15 14:27:05 host/test3-vm.mydomain....@mydomain.com >> 1 01/23/15 14:27:06 host/test3-vm.mydomain....@mydomain.com >> [root@test3-vm sssd] >> >> >> This works fine: >> >> [root@test3-vm sssd]# kinit tester1 >> Password for test...@mydomain.com: >> [root@test3-vm sssd]# >> >> >> [root@test3-vm sssd]# tail -200 krb5_child.log >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] >> (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise >> principal [false] offline [false] UPN [test...@mydomain.com] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: >> [/etc/krb5.keytab] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [set_lifetime_options] (0x0100): Cannot read >> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to >> [true] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast] >> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to >> [host/test3-vm.mydomain....@mydomain.com] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [check_fast_ccache] (0x0200): FAST TGT is still valid. >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] >> [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity >> check failed] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error] >> (0x0020): 1043: [-1765328353][Decrypt integrity check failed] >> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data] >> (0x0200): Received error code 1432158218 >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] >> (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise >> principal [false] offline [false] UPN [test...@mydomain.com] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: >> [/etc/krb5.keytab] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [set_lifetime_options] (0x0100): Cannot read >> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to >> [true] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast] >> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to >> [host/test3-vm.mydomain....@mydomain.com] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [check_fast_ccache] (0x0200): FAST TGT is still valid. >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] >> [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity >> check failed] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error] >> (0x0020): 1043: [-1765328353][Decrypt integrity check failed] >> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data] >> (0x0200): Received error code 1432158218 >> >> >> >> >> >> [root@test3-vm sssd]# cat /etc/sssd/sssd.conf >> # Do not edit Managed by Spacewalk >> [domain/MYDOMAIN.COM] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = MYDOMAIN.COM >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ldap_tls_cacert = /etc/ipa/ca.crt >> ipa_hostname = test3-vm.MYDOMAIN.COM >> chpass_provider = ipa >> ipa_server = _srv_, dir1.MYDOMAIN.COM >> dns_discovery_domain = MYDOMAIN.COM >> >> sudo_provider = ldap >> ldap_uri = ldap://dir1.MYDOMAIN.COM >> ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM >> ldap_sasl_realm = MYDOMAIN.COM >> krb5_server = dir1.MYDOMAIN.COM >> debug_level = 5 >> >> [sssd] >> services = nss, pam, ssh, sudo >> config_file_version = 2 >> debug_level = 5 >> >> domains = MYDOMAIN.COM >> [nss] >> >> [pam] >> >> [sudo] >> debug_level = 5 >> >> [autofs] >> >> [ssh] >> >> [pac] >> > > > I seems that you have several keys in the keytab for the same principal. > AFAIR (vaguely) kinit and SSSD try keys in different order, something like: > one uses last key in the list and another uses first. > There was even a ticket I think. > > Try removing all the keys and leaving only one - latest. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
