Re: [Freeipa-users] Decrypt integrity check failed on client
Thank you, that worked. On Fri, Jan 23, 2015 at 6:40 PM, Dmitri Pal d...@redhat.com wrote: On 01/23/2015 03:58 PM, Megan . wrote: Good Day! I installed a new IPA server (same name as the old one) on a new server. I added a single user for testing. I have a client that was previously a client on the old IPA server, i ran ipa-client-install --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, and rebooted. I then updated /etc/hosts to point to the new IPA server, and ran ipa-client-install --no-ntp. The install went fine. Now when i try to login to the client using my new test user, it doesn't work. I get the below errors. I am able to login to the new directory server with my new user, was prompted to change my password, and was able to log back in just fine. Any help is appreciated. Thanks. Client: [root@test3-vm ~]# uname -a Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@test3-vm ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@test3-vm ~]# rpm -qa | grep ipa-client ipa-client-3.0.0-42.el6.centos.x86_64 Server: [root@dir1 ~]# uname -a Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@dir1 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@dir1 ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 From client: [root@test3-vm sssd]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:06 host/test3-vm.mydomain@mydomain.com [root@test3-vm sssd] This works fine: [root@test3-vm sssd]# kinit tester1 Password for test...@mydomain.com: [root@test3-vm sssd]# [root@test3-vm sssd]# tail -200 krb5_child.log (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [test...@mydomain.com] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XX] keytab: [/etc/krb5.keytab] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain@mydomain.com] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [k5c_send_data] (0x0200): Received error code 1432158218 (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [test...@mydomain.com] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XX] keytab: [/etc/krb5.keytab] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain@mydomain.com] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900
[Freeipa-users] Decrypt integrity check failed on client
Good Day! I installed a new IPA server (same name as the old one) on a new server. I added a single user for testing. I have a client that was previously a client on the old IPA server, i ran ipa-client-install --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, and rebooted. I then updated /etc/hosts to point to the new IPA server, and ran ipa-client-install --no-ntp. The install went fine. Now when i try to login to the client using my new test user, it doesn't work. I get the below errors. I am able to login to the new directory server with my new user, was prompted to change my password, and was able to log back in just fine. Any help is appreciated. Thanks. Client: [root@test3-vm ~]# uname -a Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@test3-vm ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@test3-vm ~]# rpm -qa | grep ipa-client ipa-client-3.0.0-42.el6.centos.x86_64 Server: [root@dir1 ~]# uname -a Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@dir1 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@dir1 ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 From client: [root@test3-vm sssd]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:06 host/test3-vm.mydomain@mydomain.com [root@test3-vm sssd] This works fine: [root@test3-vm sssd]# kinit tester1 Password for test...@mydomain.com: [root@test3-vm sssd]# [root@test3-vm sssd]# tail -200 krb5_child.log (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [test...@mydomain.com] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XX] keytab: [/etc/krb5.keytab] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain@mydomain.com] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [k5c_send_data] (0x0200): Received error code 1432158218 (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [test...@mydomain.com] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XX] keytab: [/etc/krb5.keytab] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain@mydomain.com] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [k5c_send_data] (0x0200): Received error code 1432158218 [root@test3-vm sssd]# cat /etc/sssd/sssd.conf # Do not edit Managed by Spacewalk [domain/MYDOMAIN.COM] cache_credentials = True krb5_store_password_if_offline = True ipa_domain =
Re: [Freeipa-users] Decrypt integrity check failed on client
On 01/23/2015 03:58 PM, Megan . wrote: Good Day! I installed a new IPA server (same name as the old one) on a new server. I added a single user for testing. I have a client that was previously a client on the old IPA server, i ran ipa-client-install --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, and rebooted. I then updated /etc/hosts to point to the new IPA server, and ran ipa-client-install --no-ntp. The install went fine. Now when i try to login to the client using my new test user, it doesn't work. I get the below errors. I am able to login to the new directory server with my new user, was prompted to change my password, and was able to log back in just fine. Any help is appreciated. Thanks. Client: [root@test3-vm ~]# uname -a Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@test3-vm ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@test3-vm ~]# rpm -qa | grep ipa-client ipa-client-3.0.0-42.el6.centos.x86_64 Server: [root@dir1 ~]# uname -a Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@dir1 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@dir1 ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 From client: [root@test3-vm sssd]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:05 host/test3-vm.mydomain@mydomain.com 1 01/23/15 14:27:06 host/test3-vm.mydomain@mydomain.com [root@test3-vm sssd] This works fine: [root@test3-vm sssd]# kinit tester1 Password for test...@mydomain.com: [root@test3-vm sssd]# [root@test3-vm sssd]# tail -200 krb5_child.log (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [test...@mydomain.com] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XX] keytab: [/etc/krb5.keytab] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain@mydomain.com] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812 [k5c_send_data] (0x0200): Received error code 1432158218 (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [test...@mydomain.com] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XX] keytab: [/etc/krb5.keytab] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/test3-vm.mydomain@mydomain.com] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900 [k5c_send_data] (0x0200): Received error code 1432158218 [root@test3-vm sssd]# cat /etc/sssd/sssd.conf # Do not edit Managed by Spacewalk [domain/MYDOMAIN.COM] cache_credentials = True
