Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Hi Guys.. Sorry to bug ya again.. so looks like the selinux packages are not back ported to 7.1 as I only have selinux-policy-3.13.1-23.el7_1.21.noarch as an option Setting the contexts manually to /etc/ipa/nssdb Original [root@server2 ipa]# ls -dZ nssdb drwxr-xr-x. root root system_u:object_r:etc_t:s0 nssdb Set to [root@server2 ipa]# semanage fcontext -a -t cert_t "/etc/ipa/nssdb(/.*)?" [root@server2 ~]# restorecon -FvvR /etc/ipa/nssdb/ Check for change [root@server2 ~]# ls -dZ /etc/ipa/nssdb drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/ipa/nssdb I did this.. re-enrolled the box again but still no host cert showing in IPA however I do get a result now from getcert list as seen below. The install log still shows certmonger failed .. 2016-11-17T20:05:05Z ERROR certmonger request for host certificate failed. getcert list Number of certificates and requests being tracked: 1. Request ID '20161117153721': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Not seeing anymore selinux issues either [root@server2 sudofix]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: scho...@us.ibm.com | Tel 919 486 1397 From: Rob Crittenden <rcrit...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users@redhat.com, Jakub Hrozek <jhro...@redhat.com>, Martin Babinsky <mbabi...@redhat.com> Date: 11/17/2016 09:14 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server Sean Hogan wrote: > Hi Robert, > > No I did not cut it off there was no reason listed.. that was the > last line about the issue. > > I did find this to be my issue however > https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat > guys see if they can pull the new selinux policy packages as I do not > see them avail right now for my boxes. > > [root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent > > type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root > auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received > setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root > hostname=? addr=? terminal=?' > > type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0 > name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root > ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL > type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64 > syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK > a2=0x4000 a3=0xf8e8 items=1 ppid=1 pid=2875 auid=unset > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger > subj=system_u:system_r:certmonger_t:s0 key=(null) > type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write } > for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:etc_t:s0 tclass=dir > > type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0 > name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644 > ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 > objtype=NORMAL > type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64 > syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180 > a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root > suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset > comm=certmonger exe=/usr/sbin/certmonger > subj=system_u:system_r:certmonger_t:s0 key=(null) > type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write } > for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:etc_t:s0 tclass=file Good catch, that seems like the issue. > [root@server2 log]# rpm -qf /etc/ipa/nssdb > ipa-python-4.1.0-18.el7_1.4.x86_64 IIRC it is just ghosted, all files should be owned by something. > Encryption types.. thanks for the command.. good to know but hate seeing > the arcfour and des options as I know DISA will not like that. No DES, Triple DES. You can always remove them if you want, just
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Sean Hogan wrote: > Hi Robert, > > No I did not cut it off there was no reason listed.. that was the > last line about the issue. > > I did find this to be my issue however > https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat > guys see if they can pull the new selinux policy packages as I do not > see them avail right now for my boxes. > > [root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent > > type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root > auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received > setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root > hostname=? addr=? terminal=?' > > type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0 > name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root > ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL > type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64 > syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK > a2=0x4000 a3=0xf8e8 items=1 ppid=1 pid=2875 auid=unset > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger > subj=system_u:system_r:certmonger_t:s0 key=(null) > type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write } > for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:etc_t:s0 tclass=dir > > type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0 > name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644 > ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 > objtype=NORMAL > type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64 > syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180 > a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root > suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset > comm=certmonger exe=/usr/sbin/certmonger > subj=system_u:system_r:certmonger_t:s0 key=(null) > type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write } > for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680 > scontext=system_u:system_r:certmonger_t:s0 > tcontext=unconfined_u:object_r:etc_t:s0 tclass=file Good catch, that seems like the issue. > [root@server2 log]# rpm -qf /etc/ipa/nssdb > ipa-python-4.1.0-18.el7_1.4.x86_64 IIRC it is just ghosted, all files should be owned by something. > Encryption types.. thanks for the command.. good to know but hate seeing > the arcfour and des options as I know DISA will not like that. No DES, Triple DES. You can always remove them if you want, just be aware of interoperability. rob > > [root@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b > cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Hi Robert, No I did not cut it off there was no reason listed.. that was the last line about the issue. I did find this to be my issue however https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat guys see if they can pull the new selinux policy packages as I do not see them avail right now for my boxes. [root@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts recent type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0 name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK a2=0x4000 a3=0xf8e8 items=1 ppid=1 pid=2875 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write } for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0 name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 objtype=NORMAL type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64 syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180 a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write } for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file [root@server2 log]# rpm -qf /etc/ipa/nssdb ipa-python-4.1.0-18.el7_1.4.x86_64 Encryption types.. thanks for the command.. good to know but hate seeing the arcfour and des options as I know DISA will not like that. [root@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes Enter LDAP Password: # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Sean Hogan wrote: > Hi Jakub, > > I ended up re-enrolling the box and it is behaving as expected except I > am not getting a host cert. Robert indicated auto host cert no longer > avail with rhel 7 but using the --request -cert option on enroll to get > a host cert if I wanted one. I did so and get this in the install log > > > *2016-11-16T22:00:53Z DEBUG Starting external process* > *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active' > 'certmonger.service'* > *2016-11-16T22:00:53Z DEBUG Process finished, return code=0* > *2016-11-16T22:00:53Z DEBUG stdout=active* > > *2016-11-16T22:00:53Z DEBUG stderr=* > *2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed* Did you cut off the reason reported for the request failing? > Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) > IPA server? You could look in the server logs for details. > As for crypto on RHEL 6 IPA I have (if this is what you looking for). > However this is modified version as it took me a while to get this list > to pass tenable scans by modding the dse files. > [root@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname` These are the TLS settings for LDAP, not the Kerberos encryption types supported. You instead want to run: $ ldapsearch -x -D 'cn=directory manager' -W -s base -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Hi Jakub, I ended up re-enrolling the box and it is behaving as expected except I am not getting a host cert. Robert indicated auto host cert no longer avail with rhel 7 but using the --request -cert option on enroll to get a host cert if I wanted one. I did so and get this in the install log 2016-11-16T22:00:53Z DEBUG Starting external process 2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active' 'certmonger.service' 2016-11-16T22:00:53Z DEBUG Process finished, return code=0 2016-11-16T22:00:53Z DEBUG stdout=active 2016-11-16T22:00:53Z DEBUG stderr= 2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) IPA server? As for crypto on RHEL 6 IPA I have (if this is what you looking for). However this is modified version as it took me a while to get this list to pass tenable scans by modding the dse files. [root@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-16 17:25 EST Nmap scan report for ipa1.ipa.local Host is up (0.87s latency). PORTSTATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (14) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | Compressors (1) |_ uncompressed Sean Hogan From: Jakub Hrozek <jhro...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: Martin Babinsky <mbabi...@redhat.com>, freeipa-users@redhat.com Date: 11/16/2016 02:38 PM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote: > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials OK, now there's at least the same error from kinit as sssd is generating. Can you runs this command prepended with KRB5_TRACE=/dev/stderr and perhaps also check the KDC logs for the same time? But frankly I don't know offhand what enctypes are supported by the RHEL-6 server's KDC.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote: > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials OK, now there's at least the same error from kinit as sssd is generating. Can you runs this command prepended with KRB5_TRACE=/dev/stderr and perhaps also check the KDC logs for the same time? But frankly I don't know offhand what enctypes are supported by the RHEL-6 server's KDC.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Sean Hogan wrote: > update.. > > I decided to unenroll the box and remove it from IPA totally. I enrolled > it again and the box is now working as expected. However I did check if > server1 now has a host certificate loaded in IPA and it does not. > I have not had to do anything extra in getting a host cert loaded into > IPA with the RHEL 6 boxes so is there a step I am not doing in getting a > host cert loaded into IPA from a rhel 7 client to a RHEL 6 server? I > guess I can do it manual but if I do that certmonger will not auto renew > them right? In IPA 4.something ipa-client-install dropped getting a host certificate by default. There is an option, --request-cert, if you want to continue that behavior. Getting a server cert for the host was intended to be future-proofing and a convenience but we never used it for anything and never got any reports that anyone else had either (except to notice it isn't there anymore). So yeah, you can either un-enroll and re-enroll with the option or manually request one using ipa-getcert and it will be renewed automatically in both cases. rob > [root@ipa1 ~]# ipa host-find server1 > -- > 1 host matched > -- > Host name: server1.ipa.local > Principal name: host/server1.ipa.local@IPA.LOCAL > Password: False > Keytab: True > Managed by: server1.ipa.local > SSH public key fingerprint: 12:95:CC:*REMOVED* > (ssh-ed25519), > 33:B9:74:26::*REMOVED* > (ssh-rsa), > 52:F3:DD:*REMOVED* > (ecdsa-sha2-nistp256) > > > Where for a RHEL 6 box I see this > > > [root@ipa1 ~]# ipa host-find server2 > -- > 1 host matched > -- > Host name: server2.ipa.local > Certificate: MIIDpjCCAo6gAwIBAgICANQwDQYJKoZIhvcNAQELBQAwNzEVMBMGA1UEChMMV0 > *REMOVED THE REST* > Principal name: host/server2.ipa.local@IPA.LOCAL > Password: False > Member of host-groups: bob > Indirect Member of HBAC rule: bob2, bob1 > Keytab: True > Managed by: server2.ipa.local > Subject: CN=server2.ipa.local,O=IPA.LOCAL > Serial Number: 212 > Serial Number (hex): 0xD4 > Issuer: CN=Certificate Authority,O=IPA.LOCAL > Not Before: Tue Jul 26 20:48:58 2016 UTC > Not After: Fri Jul 27 20:48:58 2018 UTC > Fingerprint (MD5): 1f:b7:8f:*REMOVED* > Fingerprint (SHA1): d3:2f:f:*REMOVED* > SSH public key fingerprint: 1B:26:*REMOVED * > (ssh-dss), > 2D:66:D7:*REMOVED* > (ssh-rsa) > > > > > Sean Hogan > > > > > > > > Inactive hide details for Sean Hogan---11/16/2016 11:31:33 AM---Yes > sir... I added the kinit kts in the previous thinking it waSean > Hogan---11/16/2016 11:31:33 AM---Yes sir... I added the kinit kts in the > previous thinking it was needed. > [root@server1 read]# kini > > From: Sean Hogan/Durham/IBM@IBMUS > To: Martin Babinsky <mbabi...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 11/16/2016 11:31 AM > Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server > Sent by: freeipa-users-boun...@redhat.com > > > > > > Yes sir... I added the kinit kts in the previous thinking it was needed. > >> [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local >> kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting >> initial credentials >> [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local >> kinit: Program lacks support for encryption type while getting initial >> credentials > > > > Sean Hogan > > > > > > > Inactive hide details for Martin Babinsky ---11/16/2016 10:54:32 AM---On > 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listiMartin Babinsky > ---11/16/2016 10:54:32 AM---On 11/16/2016 05:56 PM, Sean Hogan wrote: > > Sorry.. listing ouput of klist -e and klist -ke... but k > > From: Martin Babinsky <mbabi...@redhat.com> > To: Sean Hogan/Durham/IBM@IBMUS > Cc: freeipa-users@redhat.com, Jakub Hrozek <jhro...@redhat.com> > Date: 11/16/2016 10:54 AM > Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server > > > > > On 11/16/2016 05:56 PM, Sean Hogan wrote: >> Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not >> seem to be working if I have it right.. kinit -kt is more promising but >> still fails >> >> >> *Klists* >> >> [root@server1 read]# klist -e >> Ticket cache: KEYRING:persistent:1:111 >> Default principal: admin@ipa.local >> >> Valid starting Expires Service principal >> 11/16/2016 10:44:02 11/17/2016 10:43:54
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
update.. I decided to unenroll the box and remove it from IPA totally. I enrolled it again and the box is now working as expected. However I did check if server1 now has a host certificate loaded in IPA and it does not. I have not had to do anything extra in getting a host cert loaded into IPA with the RHEL 6 boxes so is there a step I am not doing in getting a host cert loaded into IPA from a rhel 7 client to a RHEL 6 server? I guess I can do it manual but if I do that certmonger will not auto renew them right? [root@ipa1 ~]# ipa host-find server1 -- 1 host matched -- Host name: server1.ipa.local Principal name: host/server1.ipa.local@IPA.LOCAL Password: False Keytab: True Managed by: server1.ipa.local SSH public key fingerprint: 12:95:CC:REMOVED (ssh-ed25519), 33:B9:74:26::REMOVED (ssh-rsa), 52:F3:DD:REMOVED (ecdsa-sha2-nistp256) Where for a RHEL 6 box I see this [root@ipa1 ~]# ipa host-find server2 -- 1 host matched -- Host name: server2.ipa.local Certificate: MIIDpjCCAo6gAwIBAgICANQwDQYJKoZIhvcNAQELBQAwNzEVMBMGA1UEChMMV0 REMOVED THE REST Principal name: host/server2.ipa.local@IPA.LOCAL Password: False Member of host-groups: bob Indirect Member of HBAC rule: bob2, bob1 Keytab: True Managed by: server2.ipa.local Subject: CN=server2.ipa.local,O=IPA.LOCAL Serial Number: 212 Serial Number (hex): 0xD4 Issuer: CN=Certificate Authority,O=IPA.LOCAL Not Before: Tue Jul 26 20:48:58 2016 UTC Not After: Fri Jul 27 20:48:58 2018 UTC Fingerprint (MD5): 1f:b7:8f:REMOVED Fingerprint (SHA1): d3:2f:f:REMOVED SSH public key fingerprint: 1B:26:REMOVED (ssh-dss), 2D:66:D7:REMOVED (ssh-rsa) Sean Hogan From: Sean Hogan/Durham/IBM@IBMUS To: Martin Babinsky <mbabi...@redhat.com> Cc: freeipa-users@redhat.com Date: 11/16/2016 11:31 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server Sent by:freeipa-users-boun...@redhat.com Yes sir... I added the kinit kts in the previous thinking it was needed. > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting > initial credentials > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials Sean Hogan Inactive hide details for Martin Babinsky ---11/16/2016 10:54:32 AM---On 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listiMartin Babinsky ---11/16/2016 10:54:32 AM---On 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listing ouput of klist -e and klist -ke... but k From: Martin Babinsky <mbabi...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users@redhat.com, Jakub Hrozek <jhro...@redhat.com> Date: 11/16/2016 10:54 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server On 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not > seem to be working if I have it right.. kinit -kt is more promising but > still fails > > > *Klists* > > [root@server1 read]# klist -e > Ticket cache: KEYRING:persistent:1:111 > Default principal: admin@ipa.local > > Valid starting Expires Service principal > 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/ipa.local@IPA.LOCAL > Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > > [root@server1 read]# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- > 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) > 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) > > > > *Kinits * > > [root@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local' > Extra arguments (starting with "host/server1.ipa.local"). > Usage: kinit [-V] [-l lifetime] [-s start_time] > [-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C] > [-E] > [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] > [-S service_name] [-T ticket_armor_cache] > [-X [=]] [principal] > > options: -V verbose > -l lifetime > -s start time > -r renewable lifetime > -f forwardable > -F not forwardable > -p proxiable > -P not proxiable > -n anonymous > -a include addresses > -A do not include addresses &
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Yes sir... I added the kinit kts in the previous thinking it was needed. > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting > initial credentials > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials Sean Hogan From: Martin Babinsky <mbabi...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users@redhat.com, Jakub Hrozek <jhro...@redhat.com> Date: 11/16/2016 10:54 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server On 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not > seem to be working if I have it right.. kinit -kt is more promising but > still fails > > > *Klists* > > [root@server1 read]# klist -e > Ticket cache: KEYRING:persistent:1:111 > Default principal: admin@ipa.local > > Valid starting Expires Service principal > 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/ipa.local@IPA.LOCAL > Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > > [root@server1 read]# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- > 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) > 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) > > > > *Kinits * > > [root@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local' > Extra arguments (starting with "host/server1.ipa.local"). > Usage: kinit [-V] [-l lifetime] [-s start_time] > [-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C] > [-E] > [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] > [-S service_name] [-T ticket_armor_cache] > [-X [=]] [principal] > > options: -V verbose > -l lifetime > -s start time > -r renewable lifetime > -f forwardable > -F not forwardable > -p proxiable > -P not proxiable > -n anonymous > -a include addresses > -A do not include addresses > -v validate > -R renew > -C canonicalize > -E client is enterprise principal name > -k use keytab > -i use default client keytab (with -k) > -t filename of keytab to use > -c Kerberos 5 cache name > -S service > -T armor credential cache > -X [=] > > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting > initial credentials > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials > > > Sean Hogan > > > > > > > > Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On > 11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky > ---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: > > Hi Jakub, > > From: Martin Babinsky <mbabi...@redhat.com> > To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhro...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 11/16/2016 09:33 AM > Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server > > > > > > On 11/16/2016 05:14 PM, Sean Hogan wrote: >> Hi Jakub, >> >> Thanks... here is output >> >> >> *klist -ke* >> [root@server1 rusers]# klist -ke >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> >> -- >> 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) >> 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) >> 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) >> 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) >> >> >> >> *kinit -k odd though as kinit -k seems to fail but kinit with admin >> seems to work indicating I can hit the KDC even though kinit -k says I >> cannot?* >> >> [root@server1 pam.d]# kinit -k server1 >> kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while >> getting initial credentials >> [root@server1 pam.d]# kinit -k server1.IPA.LOCAL >> kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL >> while getting initial credentials > You need to specify ful
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
On 11/16/2016 05:56 PM, Sean Hogan wrote: Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not seem to be working if I have it right.. kinit -kt is more promising but still fails *Klists* [root@server1 read]# klist -e Ticket cache: KEYRING:persistent:1:111 Default principal: admin@ipa.local Valid starting Expires Service principal 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/ipa.local@IPA.LOCAL Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 [root@server1 read]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) *Kinits * [root@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local' Extra arguments (starting with "host/server1.ipa.local"). Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C] [-E] [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] [-S service_name] [-T ticket_armor_cache] [-X [=]] [principal] options: -V verbose -l lifetime -s start time -r renewable lifetime -f forwardable -F not forwardable -p proxiable -P not proxiable -n anonymous -a include addresses -A do not include addresses -v validate -R renew -C canonicalize -E client is enterprise principal name -k use keytab -i use default client keytab (with -k) -t filename of keytab to use -c Kerberos 5 cache name -S service -T armor credential cache -X [=] [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting initial credentials [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local kinit: Program lacks support for encryption type while getting initial credentials Sean Hogan Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky ---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub, From: Martin Babinsky <mbabi...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhro...@redhat.com> Cc: freeipa-users@redhat.com Date: 11/16/2016 09:33 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server On 11/16/2016 05:14 PM, Sean Hogan wrote: Hi Jakub, Thanks... here is output *klist -ke* [root@server1 rusers]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) *kinit -k odd though as kinit -k seems to fail but kinit with admin seems to work indicating I can hit the KDC even though kinit -k says I cannot?* [root@server1 pam.d]# kinit -k server1 kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while getting initial credentials [root@server1 pam.d]# kinit -k server1.IPA.LOCAL kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL while getting initial credentials You need to specify full principal name as printed from klist command, i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local [root@server1 pam.d]# kinit admin Password for admin@ipa.local: [root@server1 pam.d]# [root@server1 pam.d]# klist Ticket cache: KEYRING:persistent:11:11 Default principal: admin@IPA.LOCAL Valid starting Expires Service principal 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/IPA.LOCAL@IPA.LOCAL [root@server1 pam.d]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal - 1 1 host/server1.ipa.local@IPA.LOCAL 2 1 host/server1.ipa.local@IPA.LOCAL 3 1 host/server1.ipa.local@IPA.LOCAL 4 1 host/server1.ipa.local@IPA.LOCAL *Added debug_level = 10 on the domain section of sssd.conf and restarted is all I see* [root@server1 sssd]# cat ldap_child.log (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951 [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954 [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956 [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:57:56 2
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not seem to be working if I have it right.. kinit -kt is more promising but still fails Klists [root@server1 read]# klist -e Ticket cache: KEYRING:persistent:1:111 Default principal: admin@ipa.local Valid starting Expires Service principal 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/ipa.local@IPA.LOCAL Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 [root@server1 read]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) Kinits [root@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local Extra arguments (starting with "host/server1.ipa.local"). Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C] [-E] [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] [-S service_name] [-T ticket_armor_cache] [-X [=]] [principal] options:-V verbose -l lifetime -s start time -r renewable lifetime -f forwardable -F not forwardable -p proxiable -P not proxiable -n anonymous -a include addresses -A do not include addresses -v validate -R renew -C canonicalize -E client is enterprise principal name -k use keytab -i use default client keytab (with -k) -t filename of keytab to use -c Kerberos 5 cache name -S service -T armor credential cache -X [=] [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting initial credentials [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local kinit: Program lacks support for encryption type while getting initial credentials Sean Hogan From: Martin Babinsky <mbabi...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhro...@redhat.com> Cc: freeipa-users@redhat.com Date: 11/16/2016 09:33 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server On 11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub, > > Thanks... here is output > > > *klist -ke* > [root@server1 rusers]# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- > 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) > 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) > > > > *kinit -k odd though as kinit -k seems to fail but kinit with admin > seems to work indicating I can hit the KDC even though kinit -k says I > cannot?* > > [root@server1 pam.d]# kinit -k server1 > kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while > getting initial credentials > [root@server1 pam.d]# kinit -k server1.IPA.LOCAL > kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL > while getting initial credentials You need to specify full principal name as printed from klist command, i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local > [root@server1 pam.d]# kinit admin > Password for admin@ipa.local: > [root@server1 pam.d]# > [root@server1 pam.d]# klist > Ticket cache: KEYRING:persistent:11:11 > Default principal: admin@IPA.LOCAL > > Valid starting Expires Service principal > 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/IPA.LOCAL@IPA.LOCAL > > [root@server1 pam.d]# ktutil > ktutil: rkt /etc/krb5.keytab > ktutil: l > slot KVNO Principal > > - > 1 1 host/server1.ipa.local@IPA.LOCAL > 2 1 host/server1.ipa.local@IPA.LOCAL > 3 1 host/server1.ipa.local@IPA.LOCAL > 4 1 host/server1.ipa.local@IPA.LOCAL > > > > *Added debug_level = 10 on the domain section of sssd.conf and restarted > is all I see* > [root@server1 sssd]# cat ldap_child.log > (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951 > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program > lacks support for encryption type > (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954 > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program > lacks support for encryption type > (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956 > [
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
)! This is also strange but might be side effect I assume.. we mount NFS v4 home dir with automount for central homes and profiles.. on the boxes having this issue some of the IDs show just the UID numbers/GID numebrs where some of the IDs actually show the UID name/GID name. We have over 2k servers showing the UID name/GID name with no issues.. just the boxes having this issue. Sean Hogan Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek ---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > From: Jakub Hrozek <jhro...@redhat.com> To: freeipa-users@redhat.com Date: 11/16/2016 02:29 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server Sent by: freeipa-users-boun...@redhat.com On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Hello, I am starting to see some issues with a few RHEL7 boxes I have been enrolling to my RHEL 6 IPA server regarding encryption. RHEL 7 client Red Hat Enterprise Linux Server release 7.1 (Maipo) sssd-ipa-1.12.2-58.el7_1.18.x86_64 ipa-client-4.1.0-18.el7_1.4.x86_64 RHEL 6 Server Red Hat Enterprise Linux Server release 6.8 (Santiago) sssd-ipa-1.13.3-22.el6_8.4.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 The RHEL 7 client shows this in messages Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support for encryption type Could you post a more verbose ldap_child log (debug_level=10 includes KRB5_TRACE-level messages) so that we see what kind of crypto was used? Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. I am also not seeing host certs for them on the ipa server but I do see them on the local box. [root@server1 pam.d]# ktutil Can you run klist -ke as well to see what encryption types are included in the keytab? Is it possible to run "kinit -k" on the client? ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal - 11 host/server1.ipa.local@IPA.LOCAL 21 host/server1.ipa.local@IPA.LOCAL 31 host/server1.ipa.local@IPA.LOCAL 41 host/server1.ipa.local@IPA.LOCAL ktutil: I have one RHEL 7 box with no issues as it was just enrolled (missing host certs in IPA though) and I compared and IPA ID login with a box not working *NOT Work* type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed' vs Works type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe" exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=success' Its almost as if the pam files are not being read? Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
strange but might be side effect I assume.. we mount NFS v4 home dir with automount for central homes and profiles.. on the boxes having this issue some of the IDs show just the UID numbers/GID numebrs where some of the IDs actually show the UID name/GID name. We have over 2k servers showing the UID name/GID name with no issues.. just the boxes having this issue. Sean Hogan From: Jakub Hrozek <jhro...@redhat.com> To: freeipa-users@redhat.com Date: 11/16/2016 02:29 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server Sent by:freeipa-users-boun...@redhat.com On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > > > Hello, > > >I am starting to see some issues with a few RHEL7 boxes I have been > enrolling to my RHEL 6 IPA server regarding encryption. > > > RHEL 7 client > Red Hat Enterprise Linux Server release 7.1 (Maipo) > sssd-ipa-1.12.2-58.el7_1.18.x86_64 > ipa-client-4.1.0-18.el7_1.4.x86_64 > > RHEL 6 Server > Red Hat Enterprise Linux Server release 6.8 (Santiago) > sssd-ipa-1.13.3-22.el6_8.4.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > > > The RHEL 7 client shows this in messages > > Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support > for encryption type Could you post a more verbose ldap_child log (debug_level=10 includes KRB5_TRACE-level messages) so that we see what kind of crypto was used? > Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize > credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check > failed. Unable to create GSSAPI-encrypted LDAP connection. > > I am also not seeing host certs for them on the ipa server but I do see > them on the local box. > > [root@server1 pam.d]# ktutil Can you run klist -ke as well to see what encryption types are included in the keytab? Is it possible to run "kinit -k" on the client? > ktutil: rkt /etc/krb5.keytab > ktutil: l > slot KVNO Principal > > - >11 host/server1.ipa.local@IPA.LOCAL >21 host/server1.ipa.local@IPA.LOCAL >31 host/server1.ipa.local@IPA.LOCAL >41 host/server1.ipa.local@IPA.LOCAL > ktutil: > > > I have one RHEL 7 box with no issues as it was just enrolled (missing host > certs in IPA though) and I compared and IPA ID login with a box not > working > NOT Work > type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd" > hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed' > > vs > > Works > type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe" > exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh > res=success' > > Its almost as if the pam files are not being read? > > > > Sean Hogan > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > > > Hello, > > >I am starting to see some issues with a few RHEL7 boxes I have been > enrolling to my RHEL 6 IPA server regarding encryption. > > > RHEL 7 client > Red Hat Enterprise Linux Server release 7.1 (Maipo) > sssd-ipa-1.12.2-58.el7_1.18.x86_64 > ipa-client-4.1.0-18.el7_1.4.x86_64 > > RHEL 6 Server > Red Hat Enterprise Linux Server release 6.8 (Santiago) > sssd-ipa-1.13.3-22.el6_8.4.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > > > The RHEL 7 client shows this in messages > > Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support > for encryption type Could you post a more verbose ldap_child log (debug_level=10 includes KRB5_TRACE-level messages) so that we see what kind of crypto was used? > Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize > credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check > failed. Unable to create GSSAPI-encrypted LDAP connection. > > I am also not seeing host certs for them on the ipa server but I do see > them on the local box. > > [root@server1 pam.d]# ktutil Can you run klist -ke as well to see what encryption types are included in the keytab? Is it possible to run "kinit -k" on the client? > ktutil: rkt /etc/krb5.keytab > ktutil: l > slot KVNO Principal > > - >11 host/server1.ipa.local@IPA.LOCAL >21 host/server1.ipa.local@IPA.LOCAL >31 host/server1.ipa.local@IPA.LOCAL >41 host/server1.ipa.local@IPA.LOCAL > ktutil: > > > I have one RHEL 7 box with no issues as it was just enrolled (missing host > certs in IPA though) and I compared and IPA ID login with a box not > working > Work > type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd" > hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed' > > vs > > Works > type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe" > exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh > res=success' > > Its almost as if the pam files are not being read? > > > > Sean Hogan > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project