On Thu, Mar 11, 2021 at 2:31 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Robert Kudyba via FreeIPA-users wrote:
I believe we've made some progress but not quite there yet. Just to recap,
any NEW user created via CLI or GUI can connect via ssh. All imported NIS
users can only log in with their NIS password. I change the user's password
in the UI and check the Password checkbox in User authentication type and
click Save. I successfully added a client: ipa host-add-managedby --hosts=
ourdomain.edu client.ourdomain.edu Host name:
client.ourdomain.edu
Platform: x86_64 Operating system: 5.10.9-201.fc33.x86_64 Principal name:
host/client.ourdomain.edu(a)OURDOMAIN.EDU Principal alias: host/
client.ourdomain.edu(a)OURDOMAIN.EDU Managed by:
client.ourdomain.edu,
ourdomain.edu ------------------------- Number of members added 1
------------------------- [root@ourdomain ~]# ipa-getkeytab -s
ourdomain.edu -p host/
client.ourdomain.edu -k /tmp/client.keytab
> Keytab successfully retrieved and stored in: /tmp/client.keytab
This is why SSSD isn't working. SSSD uses the host keytab in
/etc/krb5.keytab and you invalidated it with the above command.
OK what do I need to do to fix this? I got this from
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Install...
(which I realize is old),
> Based on this SF discussion
> <
https://urldefense.proofpoint.com/v2/url?u=https-3A__serverfault.com_ques...
>,
> I changed: in /etc/krb5.conf
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
I don't think this is necessary.
OK Thanks for letting me know.
Are these SSH logs helpful:
NEEDED_PREAUTH: host/client.
ourdomain.edu .edu(a)OURDOMAIN.EDU for krbtgt/
OURDOMAIN.EDU <
http://ourdomain.edu/> @
OURDOMAIN.EDU
<
http://ourdomain.edu/>, Additional pre-authentication required Mar 11
13:38:28
ourdomain.edu krb5kdc[369141](info): closing down fd 11 Mar 11
13:38:28
ourdomain.edu krb5kdc[369144](info): preauth (spake) verify
failure: Preauthentication failed
Does this have to do with your comment above about SSSD not working?