On su, 22 maalis 2020, Faraz Younus wrote:
Sorry for not sharing the error my bad. I enabled sssd but ldap child error
on decrypt
Mar 22 11:11:26 sssd[be[fixedandmobile.com]]: Starting up
Mar 22 11:11:26 sssd[nss]: Starting up
Mar 22 11:11:26 sssd[pam]: Starting up
Mar 22 11:11:26 sssd[pac]: Starting up
Mar 22 11:11:26 sssd[ssh]: Starting up
Mar 22 11:11:26 sssd[sudo]: Starting up
Mar 22 11:11:32 [sssd[ldap_child[19468]]]: Failed to initialize
credentials using keytab [default]: Decrypt integrity check failed. Unable
to create GSSAPI-encrypted LDAP connection.
This means your /etc/krb5.keytab contains the key from old IPA setup,
most likely. This key is unknown to your new KDC (IPA master) so it is
not able to successfully authenticate your client.
Please show two things:
1. On IPA master, do
kinit admin
kvno -S host client.host.name
2. On the client itself, do
klist -k
The key version number (KVNO) in both cases should be the same. If you
fully reinstalled your IPA master, it might actually be the same but the
key would be totally different. In such case you need to regenerate the
key again, but first show the result of these two operations.
*:/var/log/sssd # *tail -f ldap_child.log
(Sun Mar 22 10:52:10 2020) [[sssd[ldap_child[19122]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
integrity check failed
(Sun Mar 22 11:04:53 2020) [[sssd[ldap_child[19332]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
integrity check failed
^C
On Sun, Mar 22, 2020 at 3:54 PM Alexander Bokovoy <[email protected]>
wrote:
On su, 22 maalis 2020, Faraz Younus wrote:
>Its not helping can you elaborate specifically ?
You are literally providing zero details about your problem.
SSH server on Linux clients typically is configured to allow PAM
authentication. If your client is enrolled into IPA, then it is
configured to run SSSD and authenticate your users through PAM stack. It
means that your ways of debugging are along the following lines:
- look into existing system log to get an exact message SSH server is
giving for a login attempt
- enable SSH server debug log level to see what causes the issue if
that is not clear
- enable debugging for SSSD if you consider the issue is from pam_sss
Your original email has no details on either of these steps.
In any case, it is the work that nobody else can do for you. If you have
not gathered this information, nobody will able to help you, so we need
*your* help in order to be able to help *you*.
This is a community mailing list, there are no obligations to solve
any problems you are reporting, even if more detailed information is
available. However, people here could help to diagnoze a problem if
there would be any way to help. Without any substantiated details the
only way to do that is to speculate which is not something that, in my
opinion, should be done.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
