On su, 22 maalis 2020, Faraz Younus wrote:
Thanks for your swift replies. below are output
ipamaster# kvno -S host
england-web-dev.fixedandmobile.com
host/england-web-dev.fixedandmobile.com(a)FIXEDANDMOBILE.COM: kvno = 1
client# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/england-web-dev.fixedandmobile.com(a)FIXEDANDMOBILE.COM
1 host/england-web-dev.fixedandmobile.com(a)FIXEDANDMOBILE.COM
1 host/england-web-dev.fixedandmobile.com(a)FIXEDANDMOBILE.COM
1 host/england-web-dev.fixedandmobile.com(a)FIXEDANDMOBILE.COM
ok, does
KRB5_TRACE=/dev/stderr kinit -k
work on the client?
I think it should produce an error in a way similar to what SSSD logs
tell.
If it does fail, you need to regenerate the key on the client by using
# kinit admin
# ipa-getkeytab -s ipa.master.host -p
host/england-web-dev.fixedandmobile.com -k
/etc/krb5.keytab
On Sun, Mar 22, 2020 at 4:30 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On su, 22 maalis 2020, Faraz Younus wrote:
> >Sorry for not sharing the error my bad. I enabled sssd but ldap child
> error
> >on decrypt
> >
> >Mar 22 11:11:26 sssd[be[fixedandmobile.com]]: Starting up
> >
> >Mar 22 11:11:26 sssd[nss]: Starting up
> >
> >Mar 22 11:11:26 sssd[pam]: Starting up
> >
> >Mar 22 11:11:26 sssd[pac]: Starting up
> >
> >Mar 22 11:11:26 sssd[ssh]: Starting up
> >
> >Mar 22 11:11:26 sssd[sudo]: Starting up
> >
> >Mar 22 11:11:32 [sssd[ldap_child[19468]]]: Failed to initialize
> >credentials using keytab [default]: Decrypt integrity check failed. Unable
> >to create GSSAPI-encrypted LDAP connection.
>
> This means your /etc/krb5.keytab contains the key from old IPA setup,
> most likely. This key is unknown to your new KDC (IPA master) so it is
> not able to successfully authenticate your client.
>
> Please show two things:
>
> 1. On IPA master, do
> kinit admin
> kvno -S host client.host.name
>
> 2. On the client itself, do
> klist -k
>
> The key version number (KVNO) in both cases should be the same. If you
> fully reinstalled your IPA master, it might actually be the same but the
> key would be totally different. In such case you need to regenerate the
> key again, but first show the result of these two operations.
>
> >
> >*:/var/log/sssd # *tail -f ldap_child.log
> >
> >(Sun Mar 22 10:52:10 2020) [[sssd[ldap_child[19122]]]]
> >[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
> >integrity check failed
> >
> >(Sun Mar 22 11:04:53 2020) [[sssd[ldap_child[19332]]]]
> >[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
> >integrity check failed
> >
> >^C
> >
> >On Sun, Mar 22, 2020 at 3:54 PM Alexander Bokovoy <abokovoy(a)redhat.com>
> >wrote:
> >
> >> On su, 22 maalis 2020, Faraz Younus wrote:
> >> >Its not helping can you elaborate specifically ?
> >>
> >> You are literally providing zero details about your problem.
> >>
> >> SSH server on Linux clients typically is configured to allow PAM
> >> authentication. If your client is enrolled into IPA, then it is
> >> configured to run SSSD and authenticate your users through PAM stack. It
> >> means that your ways of debugging are along the following lines:
> >>
> >> - look into existing system log to get an exact message SSH server is
> >> giving for a login attempt
> >> - enable SSH server debug log level to see what causes the issue if
> >> that is not clear
> >> - enable debugging for SSSD if you consider the issue is from pam_sss
> >>
> >> Your original email has no details on either of these steps.
> >>
> >> In any case, it is the work that nobody else can do for you. If you have
> >> not gathered this information, nobody will able to help you, so we need
> >> *your* help in order to be able to help *you*.
> >>
> >> This is a community mailing list, there are no obligations to solve
> >> any problems you are reporting, even if more detailed information is
> >> available. However, people here could help to diagnoze a problem if
> >> there would be any way to help. Without any substantiated details the
> >> only way to do that is to speculate which is not something that, in my
> >> opinion, should be done.
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
> >>
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland