> On Tue, Jun 16, 2015 at 04:32:31PM -0700, [email protected] wrote: >> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd >> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 >> >> When I try to log in using MIT kerberos and a valid ticket it works on >> one >> client, and fails on the other. I have compared the /etc/krb5.conf, >> /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients >> and >> they are identical (other than the hostnames). I can't seem to find any >> other difference between the clients. >> >> Password authentication works on both machines. >> >> Here is the dub log of the failed login machine (sshd) >> >> I think the relevant line is the very last one where it postpones the >> login for some reason >> >> Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 > > This message is in the other log as well and I think this is ok. > > Have you check if the keytab on the host with issue has the latest key > version? > > To check the call 'klist -k' as root on the server and then call 'kvno > host/...' with the principal shown in the klist output. Both kvno > numbers should be the same. If they differ call ipa-getkeytab on the > server to get a fresh keytab. Please note that you have to call kdestory > and kinit on the client to remove the old now invalid ticket from the > client's credential cache. > > HTH > > bye, > Sumit
Following those directions, I ran into some issues but I think I may have just interpreted them wrong. Klist lists 4 principals all with the same name and kvno on that server. Shouldn't there be just one? ALso, when running kvno as root, I get back an error. I had to kinit first. I got this even on a server that was working though so I assume that step was skipped above. [root@fe1 home]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/[email protected] 1 host/[email protected] 1 host/[email protected] 1 host/[email protected] [root@fe1 home]# kvno host/[email protected] kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting client principal name [root@fe1 home]# kinit username Password for [email protected]: [root@fe1 home]# kvno host/[email protected] host/[email protected]: kvno = 1 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
