Re: [Freeipa-users] Unable to authenticate a client user against IPA
Simo Sorce wrote: - Original Message - Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl03.ipa.ac...@ipa.ac .NZ] not found in keytab [default] (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A C.NZ] not found in keytab [default] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] [root@Fed14-64-ipacl03 sssd]# root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz [root@Fed14-64-ipacl03 sssd]# ? Caught Steven on IRC, this was a case of hostname being mixed case, which confuses kerberos libraries as they are case-sensitive and expect all lowercase names for hosts. This would not have been a problem if sssd just used the first key in the keytab instead of trying to guess the principal name in advance. (Yeah being stingy, no pressure Stephen :-) Simo. Simo, this probably explain why the keytab isn't disabled on the server when he uninstalls the client. I'll make sure that gets tested as part of ticket 1080. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 07:26 PM, Dmitri Pal wrote: > On 03/10/2011 06:30 PM, Steven Jones wrote: >> My problem is "To troubleshoot we need logs. There are all sorts of >> logs and configuration files on the server and on the client." > On the client: > > Config: 1) /etc/sssd/sssd.conf 2) /etc/pam.d/system-auth-ac 3) > /etc/nsswitch.conf > > Logs /var/log/sssd The most interesting one is sssd_default.log but > you can include all of them. /var/log/ipaclient-install.log > /var/log/ipaclient-uninstall.log Just a correction, it wouldn't be sssd_default.log. It would be sssd_.log. The ipa-client doesn't set up the 'default' domain, it names it after the IPA domain. So it's possible you've been looking at the wrong log. (This could also explain your comment about zero-length logs earlier). Sorry for the confusion. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk157egACgkQeiVVYja6o6NMeQCfaq3Or5XENZp97ORVyRqE/awa h1QAniJllm1U19aSj3ryXPo3SbbqD5p+ =w27/ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 06:30 PM, Steven Jones wrote: > My problem is "To troubleshoot we need logs. There are all sorts of > logs and configuration files on the server and on the client." > > Thats just it.I dont know where to look.its simply not > documentedso what I need is for someone to tell me what logs you > needand how to make the system log reliably.. for instance > debug_level = 9 in the sssd.conf still produces 0 length logs on > client1so there is nothing to report > If that's happening, then it likely means that SSSD was never started (or not restarted after adding debug_level=9; SSSD doesn't autodetect this change). Please try 'service sssd restart' > It may well be my problems stems from trying to use RHEL6 svr and KVM > with fedora 14 clients inside it which I am finding very flakyI > may need to blow it away and move the test bed to vmware ESXi. > > Or maybe indeed I am serially doing something wrong. > > I am trying again to setup client 3, what selinux is telling me is > ipa-submit is trying to open krb5.keytab > > I will test and maybe turn selinux off, if i can figur eout how! > As root, run 'setenforce 0'. This will set SELinux into "permissive" mode. It will still report SELinux errors, but it won't prevent the functionality. Please keep an eye on any such errors and report them to us. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk157WkACgkQeiVVYja6o6M3oACeIb9tbVL8A7PMWcbrqfQedykZ cnUAoJGIa9lvGbPJbg1fecogYYwU4VWk =E+gl -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
- Original Message - > Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/fed14-64-ipacl03.ipa.ac...@ipa.ac > .NZ] not found in keytab [default] > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > Could not verify keytab > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > (0): Error (14) in module (ipa) initialization (sssm_ipa_id > _init)! > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] > (0): fatal error initializing data providers > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > initialize backend [14] > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A > C.NZ] not found in keytab [default] > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > Could not verify keytab > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > (0): Error (14) in module (ipa) initialization (sssm_ipa_id > _init)! > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] > (0): fatal error initializing data providers > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > initialize backend [14] > [root@Fed14-64-ipacl03 sssd]# > > > root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > > -- > 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz > 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz > 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz > 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz > [root@Fed14-64-ipacl03 sssd]# > > ? > Caught Steven on IRC, this was a case of hostname being mixed case, which confuses kerberos libraries as they are case-sensitive and expect all lowercase names for hosts. This would not have been a problem if sssd just used the first key in the keytab instead of trying to guess the principal name in advance. (Yeah being stingy, no pressure Stephen :-) Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/10/2011 06:30 PM, Steven Jones wrote: > My problem is "To troubleshoot we need logs. There are all sorts of logs and > configuration files on the server and on the client." On the client: Config: 1) /etc/sssd/sssd.conf 2) /etc/pam.d/system-auth-ac 3) /etc/nsswitch.conf Logs /var/log/sssd The most interesting one is sssd_default.log but you can include all of them. /var/log/ipaclient-install.log /var/log/ipaclient-uninstall.log On the server there are all sorts of logs in the /var/log and under the directories. Dirsrv for DS, http for apache etc. Do not have the directory in front of me. Make sure that the versions of the packages are latest and match each other on both sides. Make sure the time is in synch. Make sure that names are resolvable if you are not using IPA with the embedded DNS. It makes sense to reboot machine after installing and configuring SSSD. Test a user on the server first make sure you can authenticate and he has a valid password. Include the commands you used to install the server and the client in the mail. Good luck! Thanks Dmitri > Thats just it.I dont know where to look.its simply not > documentedso what I need is for someone to tell me what logs you > needand how to make the system log reliably.. for instance > debug_level = 9 in the sssd.conf still produces 0 length logs on > client1so there is nothing to report > > It may well be my problems stems from trying to use RHEL6 svr and KVM with > fedora 14 clients inside it which I am finding very flakyI may need to > blow it away and move the test bed to vmware ESXi. > > Or maybe indeed I am serially doing something wrong. > > I am trying again to setup client 3, what selinux is telling me is ipa-submit > is trying to open krb5.keytab > > I will test and maybe turn selinux off, if i can figur eout how! > > regards > > Steven > > > > Steve, > > Sorry but it looks like you are doing something wrong over and over again or > there is something mis-configured in your environment. > We are executing tests every day with new and old machines bare metal and VMs. > And everything works so there is definitely something specific to your > environment which is different. > May be it is DNS or NTP or something like. We do not know. May be it is a bug > that we do not hit because we do not run things in the sequence you run or > with configuration you use. > > You write a lot of mails to us but few contain any substantial information > about your setup. > To troubleshoot we need logs. > There are all sorts of logs and configuration files on the server and on the > client. > You do not include them in your emails. > How do you think we can troubleshoot the problems? > > If you want us to help please include more detailed information. > I am really sorry that you are experiencing the issues and spending that much > time but I do not see a way to help you since we do not have sufficient > information to do the troubleshooting. > > We will be happy to help you as soon as you provide such information. > > > Thank you, > Dmitri > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl03.ipa.ac...@ipa.ac .NZ] not found in keytab [default] (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A C.NZ] not found in keytab [default] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] [root@Fed14-64-ipacl03 sssd]# root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz [root@Fed14-64-ipacl03 sssd]# ? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 11 March 2011 11:58 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA On 03/10/2011 05:37 PM, Steven Jones wrote: > I have run the in-install script and it wont delete the client in the ipa > system, so again I had to delete it via the web guiI will try > re-installing. > > A release candidate? > > I dont see howfor me a release candidate should pretty much work with the > odd bug in an "odd" areathis is still like alphamajor functionality > failure, as personally I class being unable to do the very first thing you > need to do as a major failure. > > regards > Steve, Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. We are executing tests every day with new and old machines bare metal and VMs. And everything works so there is definitely something specific to your environment which is different. May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. You write a lot of mails to us but few contain any substantial information about your setup. To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client. You do not include them in your emails. How do you think we can troubleshoot the problems? If you want us to help please include more detailed information. I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. We will be happy to help you as soon as you provide such information. Thank you, Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/10/2011 06:30 PM, Steven Jones wrote: > My problem is "To troubleshoot we need logs. There are all sorts of logs and > configuration files on the server and on the client." > > Thats just it.I dont know where to look.its simply not > documentedso what I need is for someone to tell me what logs you > needand how to make the system log reliably.. for instance > debug_level = 9 in the sssd.conf still produces 0 length logs on > client1so there is nothing to report > > It may well be my problems stems from trying to use RHEL6 svr and KVM with > fedora 14 clients inside it which I am finding very flakyI may need to > blow it away and move the test bed to vmware ESXi. > > Or maybe indeed I am serially doing something wrong. > > I am trying again to setup client 3, what selinux is telling me is ipa-submit > is trying to open krb5.keytab > > I will test and maybe turn selinux off, if i can figur eout how! > > regards > > Steven > > > > Steve, > > Sorry but it looks like you are doing something wrong over and over again or > there is something mis-configured in your environment. > We are executing tests every day with new and old machines bare metal and VMs. > And everything works so there is definitely something specific to your > environment which is different. > May be it is DNS or NTP or something like. We do not know. May be it is a bug > that we do not hit because we do not run things in the sequence you run or > with configuration you use. > > You write a lot of mails to us but few contain any substantial information > about your setup. > To troubleshoot we need logs. > There are all sorts of logs and configuration files on the server and on the > client. > You do not include them in your emails. > How do you think we can troubleshoot the problems? > > If you want us to help please include more detailed information. > I am really sorry that you are experiencing the issues and spending that much > time but I do not see a way to help you since we do not have sufficient > information to do the troubleshooting. > > We will be happy to help you as soon as you provide such information. > > > Thank you, > Dmitri > I plan to play with the installation tomorrow morning. I will send you the fill list of the config and log files from both sides. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
My problem is "To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client." Thats just it.I dont know where to look.its simply not documentedso what I need is for someone to tell me what logs you needand how to make the system log reliably.. for instance debug_level = 9 in the sssd.conf still produces 0 length logs on client1so there is nothing to report It may well be my problems stems from trying to use RHEL6 svr and KVM with fedora 14 clients inside it which I am finding very flakyI may need to blow it away and move the test bed to vmware ESXi. Or maybe indeed I am serially doing something wrong. I am trying again to setup client 3, what selinux is telling me is ipa-submit is trying to open krb5.keytab I will test and maybe turn selinux off, if i can figur eout how! regards Steven Steve, Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. We are executing tests every day with new and old machines bare metal and VMs. And everything works so there is definitely something specific to your environment which is different. May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. You write a lot of mails to us but few contain any substantial information about your setup. To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client. You do not include them in your emails. How do you think we can troubleshoot the problems? If you want us to help please include more detailed information. I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. We will be happy to help you as soon as you provide such information. Thank you, Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/10/2011 05:37 PM, Steven Jones wrote: > I have run the in-install script and it wont delete the client in the ipa system, so again I had to delete it via the web guiI will try re-installing. > > A release candidate? > > I dont see howfor me a release candidate should pretty much work with the odd bug in an "odd" areathis is still like alphamajor functionality failure, as personally I class being unable to do the very first thing you need to do as a major failure. > > regards > Steve, Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. We are executing tests every day with new and old machines bare metal and VMs. And everything works so there is definitely something specific to your environment which is different. May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. You write a lot of mails to us but few contain any substantial information about your setup. To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client. You do not include them in your emails. How do you think we can troubleshoot the problems? If you want us to help please include more detailed information. I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. We will be happy to help you as soon as you provide such information. Thank you, Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
I have run the in-install script and it wont delete the client in the ipa system, so again I had to delete it via the web guiI will try re-installing. A release candidate? I dont see howfor me a release candidate should pretty much work with the odd bug in an "odd" areathis is still like alphamajor functionality failure, as personally I class being unable to do the very first thing you need to do as a major failure. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 11 March 2011 11:17 a.m. To: Stephen Gallagher; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA third client wont authenticate either So I guess its a problem around the install script if not selinux regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 11 March 2011 11:06 a.m. To: Stephen Gallagher; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA While installing my third client selinux popped up a warning it was blocking access to krb5so Im wondering if the reason teh install of the client is failing is due to selinux? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > - Original Message - >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate stillon either >>> client.. >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
third client wont authenticate either So I guess its a problem around the install script if not selinux regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 11 March 2011 11:06 a.m. To: Stephen Gallagher; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA While installing my third client selinux popped up a warning it was blocking access to krb5so Im wondering if the reason teh install of the client is failing is due to selinux? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > - Original Message - >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate stillon either >>> client.. >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
While installing my third client selinux popped up a warning it was blocking access to krb5so Im wondering if the reason teh install of the client is failing is due to selinux? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > - Original Message - >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate stillon either >>> client.. >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > - Original Message - >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate stillon either >>> client.. >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
- Original Message - > Steven Jones wrote: > > Ok, > > > > However I cant LDAP/Ipa authenticate stillon either > > client.. > > > > So what next? > > sssd handles logins, you can try turning up the log level on that > (though I suspect it wasn't the reboot that fixed this but restarting > sssd). If sssd was never used before then what was needed was a restart of the services using it (sshd, gdm), as nsswitch.conf is never re-read by glibc, you can't use the new users until those services are restarted after nsswitch.conf is modified. I think we also offer to restart the client after ipa-client-install exactly as a way to restart all services that may depend on picking up this change. That reboot is not necessary if you manually restart all services after that, but if you don't than you better do a reboot as we suggest. > As part of ipa-client-install sssd is restarted and tested via 'getent > passwd admin'. This should be visible in > /var/log/ipaclient-install.log. > Did this command succeed? Even if this succeed, authentication via gdm or ssh can still fail until the services are restarted. Just pointing out this fact as a help point for other users testing ipa-client-install in future. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). As part of ipa-client-install sssd is restarted and tested via 'getent passwd admin'. This should be visible in /var/log/ipaclient-install.log. Did this command succeed? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
I rebooted both clients and after the reboot they now do IPA authentication.. So client1 we did some work on and it wouldnt work until a rebootclient2 I did nothing to until I rebooted.then that also worked So I will make a third client and try that Are there rpms & scripts for a rhel6ws?I could try that as well...also RHEL5 regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 10 March 2011 11:35 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA 8><--- > 4) Install client again > > Everything should work. > If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threadsbut, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length I just tried to add a local user and set a password and Im getting "passwd: Authentication token manipulation error" regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? regards Steven From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 10 March 2011 10:47 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA Steven Jones wrote: > Hi, > > I have gone into the webgui and manually removed the no1 client/host, it > has now joined successfully... > > So Yes, the next issue > > regards > I'm going to try to consolidate a few things here from some other responses. * You do not need to pre-create the host in order to enroll it using kerberos credentials. It is ok if the host already exists but not absolutely required. * When a host is unenrolled it uses its own credentials (the service principal in /etc/krb5.keytab host/client.example@example.com) to authenticate to IPA and say "I'm done with these credentials." If you lack this principal it cannot authenticate to IPA to say "I'm done with these credentials." If a keytab was actually created for this host and the contents are lost then you will need to manually free it up for enrollment again either with: # ipa host-disable client.example.com or # ipa host-del client.example.com You can see if a keytab was issued with: # ipa host-show client.example.com Look for Keytab: True * Tickets 1028 and 1029 probably don't apply here. 1028 relates only to tracking SSL certificates and 1029 only applies if you used the --hostname option with ipa-client-install. * ipa-rmkeytab is client side only. It just removes the principals for a specific host or realm from a keytab file. It has no effect on the server at all. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8><--- > 4) Install client again > > Everything should work. > If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threadsbut, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length I just tried to add a local user and set a password and Im getting "passwd: Authentication token manipulation error" regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: Hi, I have gone into the webgui and manually removed the no1 client/host, it has now joined successfully... So Yes, the next issue regards I'm going to try to consolidate a few things here from some other responses. * You do not need to pre-create the host in order to enroll it using kerberos credentials. It is ok if the host already exists but not absolutely required. * When a host is unenrolled it uses its own credentials (the service principal in /etc/krb5.keytab host/client.example@example.com) to authenticate to IPA and say "I'm done with these credentials." If you lack this principal it cannot authenticate to IPA to say "I'm done with these credentials." If a keytab was actually created for this host and the contents are lost then you will need to manually free it up for enrollment again either with: # ipa host-disable client.example.com or # ipa host-del client.example.com You can see if a keytab was issued with: # ipa host-show client.example.com Look for Keytab: True * Tickets 1028 and 1029 probably don't apply here. 1028 relates only to tracking SSL certificates and 1029 only applies if you used the --hostname option with ipa-client-install. * ipa-rmkeytab is client side only. It just removes the principals for a specific host or realm from a keytab file. It has no effect on the server at all. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/09/2011 03:09 PM, Steven Jones wrote: > On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote: >> On 03/09/2011 02:21 PM, Steven Jones wrote: >>> Hi, >>> >>> I had/have already done the uninstall...and re-install. >>> >>> Also I registered a brand new 2nd client...that hasnt worked >>> either.. >>> >> How did you create the host record for it on the server? >> > > I didnt, I ran ipa-client-install from the client > > I have just run with the --uninstall flag and then re-run and its > failing as the client record was not removed... > > "Joining realm failed: Host is already joined" > > So the un-install script/flag isnt removing the client/host We have a bug when it does not remove the keytab on the client. It is addressed but have not yet been in the build you are using. When you uninstall the machine tries to remove it keytab from the server (if it is accessible). If the server is not accessible for whatever reason you have to clean keytab on the host entry manually. I either via the ipa host commands or via ipa-rmkeytab remotely. The actual entry is not removed. 1) Run unsinstall on the client 2) Make sure that the host entry is clean. Remove it on the server and re-add again. 3) Remove the keytab file and cert on the client (these bugs are fixed https://fedorahosted.org/freeipa/ticket/1028 https://fedorahosted.org/freeipa/ticket/1029) 4) Install client again Everything should work. If not please send us the logs. > regards > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, I have gone into the webgui and manually removed the no1 client/host, it has now joined successfully... So Yes, the next issue regards On Wed, 2011-03-09 at 14:51 -0500, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 03/09/2011 02:45 PM, Steven Jones wrote: > > I have setup a 2nd client I have the same resultbut it looks like > > the keytab is correct? however LDAP logins still dont work... > > > > > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Principal > > > > -- > >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz > >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz > >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz > >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz > > > > > > Could you please check the SSSD debug logs on that machine as well? It > may be a different problem now. > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo > x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN > =PBNu > -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote: > On 03/09/2011 02:21 PM, Steven Jones wrote: > > Hi, > > > > I had/have already done the uninstall...and re-install. > > > > Also I registered a brand new 2nd client...that hasnt worked > > either.. > > > How did you create the host record for it on the server? > I didnt, I ran ipa-client-install from the client I have just run with the --uninstall flag and then re-run and its failing as the client record was not removed... "Joining realm failed: Host is already joined" So the un-install script/flag isnt removing the client/host regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/09/2011 02:45 PM, Steven Jones wrote: > I have setup a 2nd client I have the same resultbut it looks like > the keytab is correct? however LDAP logins still dont work... > > > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > > -- >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz > > Could you please check the SSSD debug logs on that machine as well? It may be a different problem now. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN =PBNu -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
I have setup a 2nd client I have the same resultbut it looks like the keytab is correct? however LDAP logins still dont work... Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz regards On Tue, 2011-03-08 at 17:10 -0500, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 03/08/2011 04:40 PM, Steven Jones wrote: > > On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: > >> Steven Jones wrote: > >>> 8><-- > >>> > >>> > >>> So how do I fault find? where do I start? > >>> > >>> ie Where do I start to look to determine why a user cannot login to a > >>> client via freeipa? > >>> > >>> How can I be more clear? because so far the replies have been not very > >>> productive. > >>> > >>> regards > >>> > >>> > >> > >> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart > >> sssd, and try your login again. Look > >> in/var/log/sssd/sssd_example.com.log for information on the login attempt. > >> > >> Your uid/gid will likely differ. > >> > >> # getent passwd admin > >> admin:*:26420:26420:Administrator:/home/admin:/bin/bash > >> # id admin > >> uid=26420(admin) gid=26420(admins) groups=26420(admins) > >> # getent group admins > >> admins:*:26420:admin > >> # finger admin > >> Login: adminName: Administrator > >> Directory: /home/admin Shell: /bin/bash > >> Never logged in. > >> No mail. > >> No Plan. > > > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] > > [sss_krb5_verify_keytab_ex] (0): Principal > > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab > > [default] > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > > Could not verify keytab > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > > (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): > > fatal error initializing data providers > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > > initialize backend [14] > > (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] > > [sss_krb5_verify_keytab_ex] (0): Principal > > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab > > [default] > > > Well, here's your problem. The SSSD isn't starting up successfully > because you don't have a host principal for this server in your > /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. > > What does > klist -k /etc/krb5.keytab > return to you? > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70 > HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai > =R7BT > -END PGP SIGNATURE- > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/09/2011 02:21 PM, Steven Jones wrote:
> Hi,
>
> I had/have already done the uninstall...and re-install.
>
> Also I registered a brand new 2nd client...that hasnt worked
> either..
>
How did you create the host record for it on the server?
> regards
>
>
> On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> Hi,
>>>
>>> Log,
>>>
>> The error is "Host is already joined" so no keytab is requested. The
>> enrollment failed.
>>
>> ipa-client-install --uninstall should unenroll the client (you can
>> verify that Keytab is False in ipa host-show on the IPA
>> server.
>>
>> If so running ipa-client-install on the client should configure things
>> properly.
>>
>> rob
>>
>>>
>>> 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
>>> with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
>>> 'force': True, 'sssd': True, 'hostname': None, 'permit': False,
>>> 'server': None, 'prompt_password': False, 'realm_name': None,
>>> 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
>>> None, 'mkhomedir': False, 'unattended': None, 'principal': None}
>>> 2011-03-04 15:08:58,726 DEBUG missing options might be asked for
>>> interactively later
>>>
>>> 2011-03-04 15:08:58,726 DEBUG Loading Index file from
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
>>> 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
>>> 2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
>>> 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
>>> -O /tmp/tmp7MhOze/ca.crt
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> 2011-03-04 15:08:58,736 DEBUG stdout=
>>> 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
>>> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 1321 (1.3K) [application/x-x509-ca-cert]
>>> Saving to: `/tmp/tmp7MhOze/ca.crt'
>>>
>>> 0K . 100%
>>> 237M=0s
>>>
>>> 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
>>> [1321/1321]
>>>
>>>
>>> 2011-03-04 15:08:58,736 DEBUG Init ldap with:
>>> ldap://fed14-64-ipam001.ipa.ac.nz:389
>>> 2011-03-04 15:08:58,749 DEBUG Search rootdse
>>> 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
>>> dc=ipa,dc=ac,dc=nz(base)
>>> 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
>>> {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
>>> 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
>>> ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
>>> 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
>>> in dc=ipa,dc=ac,dc=nz(sub)
>>> 2011-03-04 15:08:58,753 DEBUG Found:
>>> [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
>>> ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
>>> ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
>>> 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
>>> 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
>>> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
>>> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
>>> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
>>> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
>>> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
>>> 'krbMaxRenewableAge': ['604800']})]
>>> 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
>>>
>>> 2011-03-04 15:08:58,753 DEBUG will use server:
>>> fed14-64-ipam001.ipa.ac.nz
>>>
>>> 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
>>>
>>> 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
>>>
>>> 2011-03-04 15:09:04,645 DEBUG will use principal: admin
>>>
>>> 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> 2011-03-04 15:09:04,659 DEBUG stdout=
>>> 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
>>> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 1321 (1.3K) [application/x-x509-ca-cert]
>>> Saving to: `/etc/ipa/ca.crt'
>>>
>>> 0K . 100%
>>> 249M=0s
>>>
>>> 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
>>>
>>>
>>> 2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
>>> 2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz:
>>>
>>> 2011-03-04 15:09:11,665 DEBUG stderr=
>>> 2011-03-04 15:09:13,
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi,
I had/have already done the uninstall...and re-install.
Also I registered a brand new 2nd client...that hasnt worked
either..
regards
On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > Hi,
> >
> > Log,
> >
>
> The error is "Host is already joined" so no keytab is requested. The
> enrollment failed.
>
> ipa-client-install --uninstall should unenroll the client (you can
> verify that Keytab is False in ipa host-show on the IPA
> server.
>
> If so running ipa-client-install on the client should configure things
> properly.
>
> rob
>
> >
> > 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
> > with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
> > 'force': True, 'sssd': True, 'hostname': None, 'permit': False,
> > 'server': None, 'prompt_password': False, 'realm_name': None,
> > 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
> > None, 'mkhomedir': False, 'unattended': None, 'principal': None}
> > 2011-03-04 15:08:58,726 DEBUG missing options might be asked for
> > interactively later
> >
> > 2011-03-04 15:08:58,726 DEBUG Loading Index file from
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
> > 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
> > 2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
> > 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
> > -O /tmp/tmp7MhOze/ca.crt
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > 2011-03-04 15:08:58,736 DEBUG stdout=
> > 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
> > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 1321 (1.3K) [application/x-x509-ca-cert]
> > Saving to: `/tmp/tmp7MhOze/ca.crt'
> >
> > 0K . 100%
> > 237M=0s
> >
> > 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
> > [1321/1321]
> >
> >
> > 2011-03-04 15:08:58,736 DEBUG Init ldap with:
> > ldap://fed14-64-ipam001.ipa.ac.nz:389
> > 2011-03-04 15:08:58,749 DEBUG Search rootdse
> > 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
> > dc=ipa,dc=ac,dc=nz(base)
> > 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
> > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
> > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
> > ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
> > 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
> > in dc=ipa,dc=ac,dc=nz(sub)
> > 2011-03-04 15:08:58,753 DEBUG Found:
> > [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
> > ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
> > ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
> > 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
> > 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
> > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
> > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
> > 'krbMaxRenewableAge': ['604800']})]
> > 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
> >
> > 2011-03-04 15:08:58,753 DEBUG will use server:
> > fed14-64-ipam001.ipa.ac.nz
> >
> > 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
> >
> > 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
> >
> > 2011-03-04 15:09:04,645 DEBUG will use principal: admin
> >
> > 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > 2011-03-04 15:09:04,659 DEBUG stdout=
> > 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
> > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 1321 (1.3K) [application/x-x509-ca-cert]
> > Saving to: `/etc/ipa/ca.crt'
> >
> > 0K . 100%
> > 249M=0s
> >
> > 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
> >
> >
> > 2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
> > 2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz:
> >
> > 2011-03-04 15:09:11,665 DEBUG stderr=
> > 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
> > fed14-64-ipam001.ipa.ac.nz
> > 2011-03-04 15:09:13,931 DEBUG stdout=
> > 2011-03-04 15
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote:
Hi,
Log,
The error is "Host is already joined" so no keytab is requested. The
enrollment failed.
ipa-client-install --uninstall should unenroll the client (you can
verify that Keytab is False in ipa host-show on the IPA
server.
If so running ipa-client-install on the client should configure things
properly.
rob
2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
'force': True, 'sssd': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'realm_name': None,
'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
None, 'mkhomedir': False, 'unattended': None, 'principal': None}
2011-03-04 15:08:58,726 DEBUG missing options might be asked for
interactively later
2011-03-04 15:08:58,726 DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
-O /tmp/tmp7MhOze/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:08:58,736 DEBUG stdout=
2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmp7MhOze/ca.crt'
0K . 100%
237M=0s
2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
[1321/1321]
2011-03-04 15:08:58,736 DEBUG Init ldap with:
ldap://fed14-64-ipam001.ipa.ac.nz:389
2011-03-04 15:08:58,749 DEBUG Search rootdse
2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
dc=ipa,dc=ac,dc=nz(base)
2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
{'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
in dc=ipa,dc=ac,dc=nz(sub)
2011-03-04 15:08:58,753 DEBUG Found:
[('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
'krbMaxRenewableAge': ['604800']})]
2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
2011-03-04 15:08:58,753 DEBUG will use server:
fed14-64-ipam001.ipa.ac.nz
2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
2011-03-04 15:09:04,645 DEBUG will use principal: admin
2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:09:04,659 DEBUG stdout=
2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'
0K . 100%
249M=0s
2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz:
2011-03-04 15:09:11,665 DEBUG stderr=
2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
fed14-64-ipam001.ipa.ac.nz
2011-03-04 15:09:13,931 DEBUG stdout=
2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.
2011-03-04 15:09:13,937 DEBUG args=kdestroy
2011-03-04 15:09:13,937 DEBUG stdout=
2011-03-04 15:09:13,937 DEBUG stderr=
2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2011-03-04 15:09:13,938 DEBUG -> Not backing up -
'/etc/ipa/default.conf' doesn't exist
2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2011-03-04 15:09:13,938 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, I have just done another F14 client and I have the same issue. regards regards On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: > On Tue, 8 Mar 2011 19:05:45 -0500 (EST) > Stephen Gallagher wrote: > > > > > > > On Mar 8, 2011, at 5:45 PM, Steven Jones > > wrote: > > > > > Keytab name: WRFILE:/etc/krb5.keytab > > > KVNO Principal > > > > > > -- > > > > > > 8><- > > >> > > >> > > >> > > >> > > > > Looks like you have no host key in the keytab. That's the root of the > > problem. Seems like IPA-client-install failed to populate it. Rob, do > > you have any insight here? > > does /var/log/ipaclient-install.log show any error ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi,
Log,
2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
'force': True, 'sssd': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'realm_name': None,
'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
None, 'mkhomedir': False, 'unattended': None, 'principal': None}
2011-03-04 15:08:58,726 DEBUG missing options might be asked for
interactively later
2011-03-04 15:08:58,726 DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
-O /tmp/tmp7MhOze/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:08:58,736 DEBUG stdout=
2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmp7MhOze/ca.crt'
0K . 100%
237M=0s
2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
[1321/1321]
2011-03-04 15:08:58,736 DEBUG Init ldap with:
ldap://fed14-64-ipam001.ipa.ac.nz:389
2011-03-04 15:08:58,749 DEBUG Search rootdse
2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
dc=ipa,dc=ac,dc=nz(base)
2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
{'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
in dc=ipa,dc=ac,dc=nz(sub)
2011-03-04 15:08:58,753 DEBUG Found:
[('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
'krbMaxRenewableAge': ['604800']})]
2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
2011-03-04 15:08:58,753 DEBUG will use server:
fed14-64-ipam001.ipa.ac.nz
2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
2011-03-04 15:09:04,645 DEBUG will use principal: admin
2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:09:04,659 DEBUG stdout=
2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'
0K . 100%
249M=0s
2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz:
2011-03-04 15:09:11,665 DEBUG stderr=
2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
fed14-64-ipam001.ipa.ac.nz
2011-03-04 15:09:13,931 DEBUG stdout=
2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.
2011-03-04 15:09:13,937 DEBUG args=kdestroy
2011-03-04 15:09:13,937 DEBUG stdout=
2011-03-04 15:09:13,937 DEBUG stderr=
2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2011-03-04 15:09:13,938 DEBUG -> Not backing up -
'/etc/ipa/default.conf' doesn't exist
2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2011-03-04 15:09:13,938 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
-d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2011-03-04 15:09:14,012 DEBUG stdout=
2011-03-04 15:09:14,012 DEBUG stderr=
2011-03-04 15:09:14,012 DEBUG Backing up system configuration file
'/etc/krb5.conf'
2011-03-04 15:09:14,013 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,1
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Tue, 8 Mar 2011 19:05:45 -0500 (EST) Stephen Gallagher wrote: > > > On Mar 8, 2011, at 5:45 PM, Steven Jones > wrote: > > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Principal > > > > -- > > > > 8><- > >> > >> > >> > >> > > Looks like you have no host key in the keytab. That's the root of the > problem. Seems like IPA-client-install failed to populate it. Rob, do > you have any insight here? does /var/log/ipaclient-install.log show any error ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Mar 8, 2011, at 5:45 PM, Steven Jones wrote: > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > > -- > > 8><- >> >> >> >> Looks like you have no host key in the keytab. That's the root of the problem. Seems like IPA-client-install failed to populate it. Rob, do you have any insight here? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 8><- > > Well, here's your problem. The SSSD isn't starting up successfully > because you don't have a host principal for this server in your > /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. > > What does > klist -k /etc/krb5.keytab > return to you? > > - -- > Stephen Gallagher > RHCE 804006346421761 > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2011 04:40 PM, Steven Jones wrote: > On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: >> Steven Jones wrote: >>> 8><-- >>> >>> >>> So how do I fault find? where do I start? >>> >>> ie Where do I start to look to determine why a user cannot login to a >>> client via freeipa? >>> >>> How can I be more clear? because so far the replies have been not very >>> productive. >>> >>> regards >>> >>> >> >> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart >> sssd, and try your login again. Look >> in/var/log/sssd/sssd_example.com.log for information on the login attempt. >> >> Your uid/gid will likely differ. >> >> # getent passwd admin >> admin:*:26420:26420:Administrator:/home/admin:/bin/bash >> # id admin >> uid=26420(admin) gid=26420(admins) groups=26420(admins) >> # getent group admins >> admins:*:26420:admin >> # finger admin >> Login: adminName: Administrator >> Directory: /home/admin Shell: /bin/bash >> Never logged in. >> No mail. >> No Plan. > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab > [default] > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > Could not verify keytab > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): > fatal error initializing data providers > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > initialize backend [14] > (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab > [default] Well, here's your problem. The SSSD isn't starting up successfully because you don't have a host principal for this server in your /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. What does klist -k /etc/krb5.keytab return to you? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70 HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai =R7BT -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > 8><-- > > > > > > So how do I fault find? where do I start? > > > > ie Where do I start to look to determine why a user cannot login to a > > client via freeipa? > > > > How can I be more clear? because so far the replies have been not very > > productive. > > > > regards > > > > > > Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart > sssd, and try your login again. Look > in/var/log/sssd/sssd_example.com.log for information on the login attempt. > > Your uid/gid will likely differ. > > # getent passwd admin > admin:*:26420:26420:Administrator:/home/admin:/bin/bash > # id admin > uid=26420(admin) gid=26420(admins) groups=26420(admins) > # getent group admins > admins:*:26420:admin > # finger admin > Login: adminName: Administrator > Directory: /home/admin Shell: /bin/bash > Never logged in. > No mail. > No Plan. (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (ss
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: 8><-- So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart sssd, and try your login again. Look in/var/log/sssd/sssd_example.com.log for information on the login attempt. Your uid/gid will likely differ. # getent passwd admin admin:*:26420:26420:Administrator:/home/admin:/bin/bash # id admin uid=26420(admin) gid=26420(admins) groups=26420(admins) # getent group admins admins:*:26420:admin # finger admin Login: adminName: Administrator Directory: /home/admin Shell: /bin/bash Never logged in. No mail. No Plan. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8>< > > Steven, sorry you're having such a hard time with this. Let me see if I > can help point you in the right direction. > > I'm trying to look at the history of this thread, but I'm coming into it > late, so please forgive me if I retread any ground that's already been > covered. > > First, I need to verify that I understand the state from which you're > working. Have you installed FreeIPA from the jdennis.fedorapeople.org > yum repository? [freeipa-devel] name=FreeIPA Development baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch enabled=1 gpgcheck=0 F14 and 64bit. > What version of the RPM packages for freeipa-server, freeipa-client and > sssd do you have? (rpm -q) ">>" 'd output, == sssd-1.5.1-9.fc14.x86_64 freeipa-client-2.0.0.rc2-0.fc14.x86_64 freeipa-server-2.0.0.rc2-0.fc14.x86_64 # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files sss publickey: nisplus automount: files aliases:files nisplus [sssd] services = nss, pam config_file_version = 2 domains = ipa.ac.nz [nss] [pam] [domain/ipa.ac.nz] cache_credentials = True ipa_domain = ipa.ac.nz id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz [domain/default] cache_credentials = True krb5_realm = IPA.AC.NZ krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88 auth_provider = krb5 chpass_provider = krb5 krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749 debug_level=9 #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2011 02:43 PM, Steven Jones wrote: > 8><-- > > > So how do I fault find? where do I start? > > ie Where do I start to look to determine why a user cannot login to a > client via freeipa? > > How can I be more clear? because so far the replies have been not very > productive. > Steven, sorry you're having such a hard time with this. Let me see if I can help point you in the right direction. I'm trying to look at the history of this thread, but I'm coming into it late, so please forgive me if I retread any ground that's already been covered. First, I need to verify that I understand the state from which you're working. Have you installed FreeIPA from the jdennis.fedorapeople.org yum repository? What version of the RPM packages for freeipa-server, freeipa-client and sssd do you have? (rpm -q) I noticed that you mentioned in an earlier email that you were editing nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA client (any more). We now use SSSD (and ipa-client-install should be setting this up for you). So what I need to see are the following configuration files: 1) /etc/nsswitch.conf 2) /etc/sssd/sssd.conf 3) /etc/pam.d/system-auth 4) /etc/pam.d/password-auth (if using GDM) Also, to start debugging login problems, the best place to look is in /var/log/secure, which should report any PAM modules that are denying access to the account (and the reason why it's being denied). Please provide us with the above information and we'll see what we can do to get you up and running. Also, for much faster triage and debugging, you can join the #freeipa and/or #sssd IRC channels on the irc.freenode.net IRC server and speak with us directly. My nick on those channels is 'sgallagh'. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk12iroACgkQeiVVYja6o6NIQQCfWpxNdMTQyjJ8HojOOeBOIcuS qdsAoIrVUcvY2lgDv9bVFjyWqUjjH9ZU =wJNo -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8><-- So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8><- > > > > getent passwd "user" however only returns one line, not the two I should > > expect? > > Why do you expect two lines? It should only return one, for that user. > > > > > It also returns very fastlike its not even looking remotely. > > Is the user in /etc/passwd too? > When I tried to get FDS going a few years ago getent used to return 2, the local one and the ldap one, hence two linesif it was working. I guess the ipa manual is lacking somewhat in that it says run these commands, but doesnt say what the expected output is or looks like, so how am I meant to know if its right or wrong? like duh. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more Which returns LDAP infothat looks finethe query looks OK getent passwd "user" however only returns one line, not the two I should expect? Why do you expect two lines? It should only return one, for that user. It also returns very fastlike its not even looking remotely. Is the user in /etc/passwd too? I have run authconfig-tui and that looks OK as far as I can tell I have set cli.conf and server.conf but there are no logs any where I can find Ideas please? Also how to get logging going so I have something to look at Logging depends entirely on the context you are in. For nss data (user, group, etc) you'll need to check system logs. If you are using sssd, the default, then you can try adding debug_level = 9 to /etc/sssd/sssd.conf in the ipa provider (domain/example.com) and restart sssd. Watch the logs in /var/log/sssd. Since sssd uses LDAP you can also see the queries it makes on your IPA server in /var/log/dirsrv/slapd-REALM/access. This log is buffered. cli.conf and server.conf are only used by the IPA management framework (the ipa command the webUI). The server-side log is the Apache error log, /var/log/httpd/error_log. So if the question is "why can't user log in" or "why can't I see user " then look in the sssd error logs. If you can't manage users using the ipa command, the Apache error log is the place to look. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more Which returns LDAP infothat looks finethe query looks OK getent passwd "user" however only returns one line, not the two I should expect? It also returns very fastlike its not even looking remotely. I have run authconfig-tui and that looks OK as far as I can tell I have set cli.conf and server.conf but there are no logs any where I can find Ideas please? Also how to get logging going so I have something to look at regards On Tue, 2011-03-08 at 13:31 +1300, Steven Jones wrote: > Hi, > > Where does this log to? > > regards > > On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote: > > On 03/06/2011 02:48 PM, Steven Jones wrote: > > > How do i turn on logging on the client and the server so as to start > > > troubleshooting this authentication failure? > > > > > > regards > > > > > > ___ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > http://freeipa.org/page/IPAv2_config_files > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IPA project, > > Red Hat Inc. > > > > > > --- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, Where does this log to? regards On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote: > On 03/06/2011 02:48 PM, Steven Jones wrote: > > How do i turn on logging on the client and the server so as to start > > troubleshooting this authentication failure? > > > > regards > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > http://freeipa.org/page/IPAv2_config_files > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/06/2011 02:48 PM, Steven Jones wrote: > How do i turn on logging on the client and the server so as to start > troubleshooting this authentication failure? > > regards > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > http://freeipa.org/page/IPAv2_config_files -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
How do i turn on logging on the client and the server so as to start troubleshooting this authentication failure? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8><--- This didnt work...intuitive, no I guess not regards > Sorry but the doc might be incomplete. We are in the middle of reviewing > it actually and adding information to it. > > Please go to your system-authconfig dialog and configure LDAP + Kerberos > with the IPA server. It should be intuitive. > It will update all the right config files. > > The logs are in the sub-directory under /var/log. > The name starts with ipa but I do not remember the exact name from the > top of my head. There are no logs... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, Well client to ipa server doesnt work.. regards On Fri, 2011-03-04 at 10:45 -0500, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 03/03/2011 02:53 PM, Steven Jones wrote: > >> 8>< > >> > >> I have no idea, Im trying to follow the ipa document (version 0.5)so > >> if it says do something I try and do itif it doesnt say do something > >> wellit doesnt get done as I cant mind read. > >> > >> What I want is encrypted connections on all services / communications so > >> it is secure and safe. > >> > >> regards > > > > Here is some more information for you on SSSD. > > https://fedorahosted.org/sssd/wiki/HOWTO_Configure > > And also SSSD man pages are good. > > Let me also point out that ipa-client-install already configures the > client to use sssd. No additional configuration should be required. > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Dmitri Pal wrote: On 03/04/2011 10:45 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 03/03/2011 02:53 PM, Steven Jones wrote: 8>< I have no idea, Im trying to follow the ipa document (version 0.5)so if it says do something I try and do itif it doesnt say do something wellit doesnt get done as I cant mind read. What I want is encrypted connections on all services / communications so it is secure and safe. regards Here is some more information for you on SSSD. https://fedorahosted.org/sssd/wiki/HOWTO_Configure And also SSSD man pages are good. Let me also point out that ipa-client-install already configures the client to use sssd. No additional configuration should be required. Rob, I do not remember does the ipa-client-install pull sssd automatically or you have to yum install it first? It is a package dependency so install automatically. We configure it by default. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/04/2011 10:45 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 03/03/2011 02:53 PM, Steven Jones wrote: >>> 8>< >>> >>> I have no idea, Im trying to follow the ipa document (version >>> 0.5)so >>> if it says do something I try and do itif it doesnt say do >>> something >>> wellit doesnt get done as I cant mind read. >>> >>> What I want is encrypted connections on all services / >>> communications so >>> it is secure and safe. >>> >>> regards >> >> Here is some more information for you on SSSD. >> https://fedorahosted.org/sssd/wiki/HOWTO_Configure >> And also SSSD man pages are good. > > Let me also point out that ipa-client-install already configures the > client to use sssd. No additional configuration should be required. Rob, I do not remember does the ipa-client-install pull sssd automatically or you have to yum install it first? > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Dmitri Pal wrote: On 03/03/2011 02:53 PM, Steven Jones wrote: 8>< I have no idea, Im trying to follow the ipa document (version 0.5)so if it says do something I try and do itif it doesnt say do something wellit doesnt get done as I cant mind read. What I want is encrypted connections on all services / communications so it is secure and safe. regards Here is some more information for you on SSSD. https://fedorahosted.org/sssd/wiki/HOWTO_Configure And also SSSD man pages are good. Let me also point out that ipa-client-install already configures the client to use sssd. No additional configuration should be required. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/03/2011 02:53 PM, Steven Jones wrote: > 8>< > > I have no idea, Im trying to follow the ipa document (version 0.5)so > if it says do something I try and do itif it doesnt say do something > wellit doesnt get done as I cant mind read. > > What I want is encrypted connections on all services / communications so > it is secure and safe. > > regards Here is some more information for you on SSSD. https://fedorahosted.org/sssd/wiki/HOWTO_Configure And also SSSD man pages are good. >> Are you planning to use pam_ldap + nss_ldap or SSSD? >> If SSSD have you installed SSSD packages first? >> >> The pam and nss config files as well as SSSD config and SSSD logs if it >> is in picture together with ipa-client-install logs would be a good >> starting point to troubleshoot the issue. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> --- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/04/2011 02:35 AM, Steven Jones wrote: Hi, Thanks, I think there maybe a dependency missing for the yum install of the clientwhen I go to the system-auth, ipa is there as an option but its missing a .so in nss-pam-ldapd and asks for it to be installed, the dependency off that is nscd and pam_ldap Hopefully this will workI am dwnloading now. regards May I suggest using SSSD instead of nss-pam-ldapd. Apart from caching mechanism, it also enables client side of features such as HBAC or dynamic DNS update. Also all the client installation bits such as ipa-client-install default to using SSSD. That said, if you opt for nss-pam-ldapd, it should work, too.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, Thanks, I think there maybe a dependency missing for the yum install of the clientwhen I go to the system-auth, ipa is there as an option but its missing a .so in nss-pam-ldapd and asks for it to be installed, the dependency off that is nscd and pam_ldap Hopefully this will workI am dwnloading now. regards On Thu, 2011-03-03 at 18:22 -0500, Dmitri Pal wrote: > On 03/03/2011 02:31 PM, Dmitri Pal wrote: > > On 03/03/2011 02:21 PM, Steven Jones wrote: > >> I appear to have IPA running, I have run the install client on a fed14 > >> KVM guest and that guest is in the IPA system, however the users in IPA > >> cannot authenticate via IPA and get onto the client. There appears to > >> be traffic to port 389, so I assume its "almost" workingbut I can > >> find anything in logs to say whats wrongnot that I can determine > >> what logs to check.Ive been looking in /var/log so farare there > >> any other logs about? > >> > >> And/or where do I start looking to get this working? > >> > >> regards > >> > >> > >> > >> ___ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Are you planning to use pam_ldap + nss_ldap or SSSD? > > If SSSD have you installed SSSD packages first? > > > > The pam and nss config files as well as SSSD config and SSSD logs if it > > is in picture together with ipa-client-install logs would be a good > > starting point to troubleshoot the issue. > > > > Sorry but the doc might be incomplete. We are in the middle of reviewing > it actually and adding information to it. > > Please go to your system-authconfig dialog and configure LDAP + Kerberos > with the IPA server. It should be intuitive. > It will update all the right config files. > > The logs are in the sub-directory under /var/log. > The name starts with ipa but I do not remember the exact name from the > top of my head. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/03/2011 02:31 PM, Dmitri Pal wrote: > On 03/03/2011 02:21 PM, Steven Jones wrote: >> I appear to have IPA running, I have run the install client on a fed14 >> KVM guest and that guest is in the IPA system, however the users in IPA >> cannot authenticate via IPA and get onto the client. There appears to >> be traffic to port 389, so I assume its "almost" workingbut I can >> find anything in logs to say whats wrongnot that I can determine >> what logs to check.Ive been looking in /var/log so farare there >> any other logs about? >> >> And/or where do I start looking to get this working? >> >> regards >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Are you planning to use pam_ldap + nss_ldap or SSSD? > If SSSD have you installed SSSD packages first? > > The pam and nss config files as well as SSSD config and SSSD logs if it > is in picture together with ipa-client-install logs would be a good > starting point to troubleshoot the issue. > Sorry but the doc might be incomplete. We are in the middle of reviewing it actually and adding information to it. Please go to your system-authconfig dialog and configure LDAP + Kerberos with the IPA server. It should be intuitive. It will update all the right config files. The logs are in the sub-directory under /var/log. The name starts with ipa but I do not remember the exact name from the top of my head. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8>< I have no idea, Im trying to follow the ipa document (version 0.5)so if it says do something I try and do itif it doesnt say do something wellit doesnt get done as I cant mind read. What I want is encrypted connections on all services / communications so it is secure and safe. regards > > Are you planning to use pam_ldap + nss_ldap or SSSD? > If SSSD have you installed SSSD packages first? > > The pam and nss config files as well as SSSD config and SSSD logs if it > is in picture together with ipa-client-install logs would be a good > starting point to troubleshoot the issue. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
"id thing" returns id: thing: no such user... In iptraf there is a port 389 connection, suggesting its asking the ipa master about user "thing"so its either asking the wrong Q or the ipa master cant see the user "thing" yet its there in the gui. One thing "thing" only exists on the ipa master, with "irwin" it exists locally so id returns local info as I see no 389 connection taking place there was no nslcd.conf so I wrote one as per, 8.1.4. Configuring System Login You need to modify the /etc/nslcd.conf file, used by the nslcd service, on the client, to include additional information about the IPA server. This is so that the client can reach the IPA server's LDAP server for getent commands and also for ssh. For example, you should include the following information in your /etc/nslcd.conf file: uri host ip-address-of-ipaserver.example.com-here base dc=example,dc=com So mine says, uri host 192.168.100.2 base dc=ipa,dc=ac,dc=nz Where 192.168.100.2 is the original master. regards On Thu, 2011-03-03 at 14:30 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > I appear to have IPA running, I have run the install client on a fed14 > > KVM guest and that guest is in the IPA system, however the users in IPA > > cannot authenticate via IPA and get onto the client. There appears to > > be traffic to port 389, so I assume its "almost" workingbut I can > > find anything in logs to say whats wrongnot that I can determine > > what logs to check.Ive been looking in /var/log so farare there > > any other logs about? > > > > And/or where do I start looking to get this working? > > > > regards > > > > > > On that client can you do things like: > > $ getent passwd > > or > > $ id > > ? > > That should cause sssd to fetch user information. If it fails then we'll > start by looking at the sssd configuration. If not I guess we'll turn up > some debugging knobs to see what is going on. > > rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On 03/03/2011 02:21 PM, Steven Jones wrote: > I appear to have IPA running, I have run the install client on a fed14 > KVM guest and that guest is in the IPA system, however the users in IPA > cannot authenticate via IPA and get onto the client. There appears to > be traffic to port 389, so I assume its "almost" workingbut I can > find anything in logs to say whats wrongnot that I can determine > what logs to check.Ive been looking in /var/log so farare there > any other logs about? > > And/or where do I start looking to get this working? > > regards > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Are you planning to use pam_ldap + nss_ldap or SSSD? If SSSD have you installed SSSD packages first? The pam and nss config files as well as SSSD config and SSSD logs if it is in picture together with ipa-client-install logs would be a good starting point to troubleshoot the issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Steven Jones wrote: I appear to have IPA running, I have run the install client on a fed14 KVM guest and that guest is in the IPA system, however the users in IPA cannot authenticate via IPA and get onto the client. There appears to be traffic to port 389, so I assume its "almost" workingbut I can find anything in logs to say whats wrongnot that I can determine what logs to check.Ive been looking in /var/log so farare there any other logs about? And/or where do I start looking to get this working? regards On that client can you do things like: $ getent passwd or $ id ? That should cause sssd to fetch user information. If it fails then we'll start by looking at the sssd configuration. If not I guess we'll turn up some debugging knobs to see what is going on. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
