Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Hello I have been searchin the world wide web and all i can find is to upgrade SSSD, but I cant do that. Cant change those pkg for the statellite. Is there any other way? 2013/5/2 Axel Berlin acke...@gmail.com It dont come anything in the logs when i do it on the client. Got any other tips? 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie Yes, on the client. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
[root@seadv-237-100 ~]# kinit -k host/seadv-237-100.d1.gameop.net [root@seadv-237-100 ~]# echo $? 0 What more can i try? I googled [be_get_account_info] (4): Request processed. Returned 1,11,Fast reply - offline all I can find is that I have to update some packeds but I cant do that cuse of the live stuff So is there any other workaround for this? Or do I have to live with to have to change the resolv.conf? 2013/5/6 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 01:03:07PM +0200, Axel Berlin wrote: It dont come anything in the logs when i do it on the client. Got any other tips? You shouldn't see anything in the logs. kinit is a simple command-line utility. You should either see an error message printed to stdout or nothing (and $? set to 0) if kinit succeeded. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote: Here is the logs output when I do id username sssd_d1.gameop.net.log (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [child_sig_handler] (7): Waiting for child [20277]. I think here is the problem. Local error is not much descriptive, but the issue is most probably in the keytab. Does the following work: kinit -k host/seadv-237-100.d1.gameop.net I bet it would print the same error message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
It dont come anything in the logs when i do it on the client. Got any other tips? 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie Yes, on the client. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Hello. Im trying to set up a redhat 6.1 to ipaserver. What i have done. On the Ipaserver #ipa host-add --force --ip-address=192.168.237.1 seadv-.d1.gameop.net #kinit admin #ipa host-add-managedby --hosts=ipaserver.d1.gameop.net seadv-237-1.d1.gameop.net #ipa-getkeytab -s ipaserver.d1.gameop.net -p host/seadv-237-1.d1.gameop.net-k /tmp/seadv-.keytab #scp client1.keytab seadv-237-1.d1.gameop.net:/tmp On Client 6.1 #yum install krb5-workstation oddjob-mkhomedir #mv /tmp/client1.keytab /etc/krb5.keytab #vim /etc/krb5.conf [libdefaults] default_realm = D1.GAMEOP.NET dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] D1.GAMEOP.NET = { kdc = ipaserver.d1.gameop.net:88 admin_server = ipaserver.d1.gameop.net:749 default_domain = d1.gameop.net pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .d1.gameop.net = D1.GAMEOP.NET d1.gameop.net = D1.GAMEOP.NET #cd /etc/pam.d/ #vim fingerprint-auth authrequired pam_env.so authsufficientpam_fprintd.so authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim password-auth authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim smartcard-auth authrequired pam_env.so auth[success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequired pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim system-auth authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim /etc/sssd/sssd.conf [domain/d1.gameop.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = d1.gameop.net id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipaserver.d1.gameop.net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] config_file_version = 2