Good Day! I installed a new IPA server (same name as the old one) on a new server. I added a single user for testing. I have a client that was previously a client on the old IPA server, i ran ipa-client-install --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp, and rebooted. I then updated /etc/hosts to point to the new IPA server, and ran ipa-client-install --no-ntp. The install went fine. Now when i try to login to the client using my new test user, it doesn't work. I get the below errors. I am able to login to the new directory server with my new user, was prompted to change my password, and was able to log back in just fine.
Any help is appreciated. Thanks. Client: [root@test3-vm ~]# uname -a Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@test3-vm ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@test3-vm ~]# rpm -qa | grep ipa-client ipa-client-3.0.0-42.el6.centos.x86_64 Server: [root@dir1 ~]# uname -a Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@dir1 ~]# cat /etc/redhat-release CentOS release 6.6 (Final) [root@dir1 ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 >From client: [root@test3-vm sssd]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 01/23/15 14:27:05 host/[email protected] 1 01/23/15 14:27:05 host/[email protected] 1 01/23/15 14:27:05 host/[email protected] 1 01/23/15 14:27:06 host/[email protected] [root@test3-vm sssd] This works fine: [root@test3-vm sssd]# kinit tester1 Password for [email protected]: [root@test3-vm sssd]# [root@test3-vm sssd]# tail -200 krb5_child.log (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/[email protected]] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/[email protected]] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error] (0x0020): 1043: [-1765328353][Decrypt integrity check failed] (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data] (0x0200): Received error code 1432158218 [root@test3-vm sssd]# cat /etc/sssd/sssd.conf # Do not edit Managed by Spacewalk [domain/MYDOMAIN.COM] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = MYDOMAIN.COM id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = test3-vm.MYDOMAIN.COM chpass_provider = ipa ipa_server = _srv_, dir1.MYDOMAIN.COM dns_discovery_domain = MYDOMAIN.COM sudo_provider = ldap ldap_uri = ldap://dir1.MYDOMAIN.COM ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM ldap_sasl_realm = MYDOMAIN.COM krb5_server = dir1.MYDOMAIN.COM debug_level = 5 [sssd] services = nss, pam, ssh, sudo config_file_version = 2 debug_level = 5 domains = MYDOMAIN.COM [nss] [pam] [sudo] debug_level = 5 [autofs] [ssh] [pac] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
