Hi list,

RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow the existing HBAC rules to function.

Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 using sssd-ipa? 

Thanks.


Regards,
Siggi


[root@ipaclient sssd]# kinit -kt /etc/krb5.keytab

kinit(v5): Preauthentication failed while getting initial credentials

 

ipaserver krb5kdc log file:

/var/log/krb5kdc:       

Nov 06 15:51:55 ipaserver1.realm.net krb5kdc[10673](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.137.46: NEEDED_PREAUTH: host/ipaclient.realm.net@REALM.NET for krbtgt/REALM.NET@REALM.NET, Additional pre-authentication required

Nov 06 15:51:55 ipaserver1.realm.net krb5kdc[10673](info): Doing certauth authorize for [host/ipaclient.realm.net@REALM.NET]

Nov 06 15:51:55 ipaserver1.realm.net krb5kdc[10673](info): Got cert filter [(userCertificate;binary=xxxxxxx

Nov 06 15:51:55 ipaserver1.realm.net krb5kdc[10673](info): No matching entry found

Nov 06 15:51:55 ipaserver1.realm.net krb5kdc[10673](info): preauth (pkinit) verify failure: Certificate mismatch

Nov 06 15:51:55 ipaserver1.realm.net krb5kdc[10673](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.137.46: PREAUTH_FAILED: host/ipaclient.realm.net@REALM.NET for krbtgt/REALM.NET@REALM.NET, Certificate mismatch

Nov 06 15:51:55 ipaserver1.realm.net krb5kdc[10673](info): closing down fd 10

 

 

 

client sssd log files:

 

==> sssd_nss.log <==

(Mon Nov  6 16:18:23 2017) [sssd[nss]] [accept_fd_handler] (6): Client connected!

(Mon Nov  6 16:18:23 2017) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1].

(Mon Nov  6 16:18:23 2017) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1].

(Mon Nov  6 16:18:23 2017) [sssd[nss]] [nss_cmd_getpwuid_search] (4): Requesting info for [693200437@realm.net]

(Mon Nov  6 16:18:23 2017) [sssd[nss]] [sss_dp_send_acct_req_create] (4): Sending request for [realm.net][4097][1][idnumber=693200437]

 

==> ldap_child.log <==

(Mon Nov  6 16:18:24 2017) [[sssd[ldap_child[13376]]]] [ldap_child_get_tgt_sync] (4): Principal name is: [host/ipaclient.realm.net@REALM.NET]

(Mon Nov  6 16:18:24 2017) [[sssd[ldap_child[13376]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Certificate mismatch

(Mon Nov  6 16:18:24 2017) [[sssd[ldap_child[13376]]]] [main] (1): ldap_child_get_tgt_sync failed.

 

==> sssd_realm.net.log <==

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [read_pipe_handler] (6): EOF received, client finished

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Certificate mismatch], expired on [0]

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Bad address]

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [sdap_cli_kinit_done] (6): Cannot get a TGT: ret [5] result [4]

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [fo_set_port_status] (4): Marking port 0 of server 'ipaserver1.realm.net' as 'not working'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [fo_resolve_service_send] (4): Trying to resolve service 'IPA'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_server_status] (7): Status of server 'ipaserver22.realm.net' is 'name resolved'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_port_status] (7): Port status of port 389 for server ‘ipaserver2.realm.net' is 'not working'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_server_status] (7): Status of server 'ipaserver1.realm.net' is 'name resolved'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_port_status] (7): Port status of port 389 for server 'ipaserver1.realm.net' is 'not working'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_server_status] (7): Status of server 'ipaserver21.realm.net' is 'name resolved'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_port_status] (7): Port status of port 389 for server 'ipaserver21.realm.net' is 'not working'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_server_status] (7): Status of server 'ipaserver1.realm.net' is 'name resolved'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [get_port_status] (7): Port status of port 0 for server 'ipaserver1.realm.net' is 'not working'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [fo_resolve_service_send] (1): No available servers for service 'IPA'

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [be_resolve_server_done] (7): Server resolution failed: 5

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 [Input/output error])

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [be_run_offline_cb] (3): Going offline. Running callbacks.

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [acctinfo_callback] (4): Request processed. Returned 1,11,Offline

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [child_sig_handler] (7): Waiting for child [13376].

(Mon Nov  6 16:18:24 2017) [sssd[be[realm.net]]] [child_sig_handler] (4): child [13376] finished successfully.