Robert Kudyba wrote:
On Thu, Mar 11, 2021 at 2:31 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Robert Kudyba via FreeIPA-users wrote:
I believe we've made some progress but not quite there yet. Just to
recap, any NEW user created via CLI or GUI can connect via ssh. All
imported NIS users can only log in with their NIS password. I change
the user's password in the UI and check the Password checkbox in
User authentication type and click Save. I successfully added a
client: ipa host-add-managedby --hosts=ourdomain.edu
<
http://ourdomain.edu> client.ourdomain.edu
<
http://client.ourdomain.edu/>Host name:
client.ourdomain.edu
<
http://client.ourdomain.edu/>Platform: x86_64 Operating system:
5.10.9-201.fc33.x86_64 Principal name:
host/client.ourdomain.edu
<
http://client.ourdomain.edu>(a)OURDOMAIN.EDU <
http://OURDOMAIN.EDU>
Principal alias:
host/client.ourdomain.edu
<
http://client.ourdomain.edu>(a)OURDOMAIN.EDU <
http://OURDOMAIN.EDU>
Managed by:
client.ourdomain.edu <
http://client.ourdomain.edu/>,
ourdomain.edu <
http://ourdomain.edu/>-------------------------
Number of members added 1 ------------------------- [root@ourdomain
~]# ipa-getkeytab -s
ourdomain.edu <
http://ourdomain.edu/>-p host/
client.ourdomain.edu <
http://client.ourdomain.edu/>-k
/tmp/client.keytab
> Keytab successfully retrieved and stored in: /tmp/client.keytab
This is why SSSD isn't working. SSSD uses the host keytab in
/etc/krb5.keytab and you invalidated it with the above command.
OK what do I need to do to fix this? I got this
from https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/In...
(which I realize is old),
Please do not use these documents. We'd remove them if it were in our
control.
You can re-run your getkeytab command using /etc/krb5.keytab instead to
sync up the keys.
> Based on this SF discussion
>
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__serverfault.com_ques...
>,
> I changed: in /etc/krb5.conf
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
I don't think this is necessary.
OK Thanks for letting me know.
Are these SSH logs helpful:
NEEDED_PREAUTH: host/client.
ourdomain.edu
<
http://ourdomain.edu/>.edu(a)OURDOMAIN.EDU <
http://OURDOMAIN.EDU> for
krbtgt/OURDOMAIN.EDU <
http://ourdomain.edu/>@ OURDOMAIN.EDU
<
http://ourdomain.edu/>, Additional pre-authentication required Mar 11
13:38:28
ourdomain.edu <
http://ourdomain.edu/>krb5kdc[369141](info):
closing down fd 11 Mar 11 13:38:28
ourdomain.edu
<
http://ourdomain.edu/>krb5kdc[369144](info): preauth (spake) verify
failure: Preauthentication failed
Does this have to do with your comment above about SSSD not working?
Yes. A keytab is a password and this is effectively a "bad password" error.
rob