On Пят, 09 мая 2025, Remo Schmid via FreeIPA-users wrote:
i have a construct with two freeipa servers and a samba ad that trusts
each other. now i have rebuilt a freeipa, since then i have problems
with the authentication. logging in via ssh on server works (via ssh
key), but doing sudo on the server with the ad user does not work.
according to logfiles the password of the ad user is checked correctly
and there i also see different logs if the password is correct or
wrong. Kerberos says the password is checked successfully.
however, it does not work afterwards. in the krbt5_child.log I see the following
error. ==> [krb5_child[33538]] [get_and_save_tgt] (0x0020): [RID#45] 2395:
[-1765328353][Decrypt integrity check failed]
the trust position looks good from samba ad as well as from the ipa
side.
are there any who have had similar problems after reinstalling? any
ideas what else I should check?
You reinstalled IPA deployment -> all Kerberos keys did change, so
keytabs on the file system aren't valid anymore.
I assume you have reestablished trust agreement again too?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
