> On Tue, Jun 16, 2015 at 04:32:31PM -0700, [email protected] wrote: >> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd >> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 >> >> When I try to log in using MIT kerberos and a valid ticket it works on >> one >> client, and fails on the other. I have compared the /etc/krb5.conf, >> /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients >> and >> they are identical (other than the hostnames). I can't seem to find any >> other difference between the clients. >> >> Password authentication works on both machines. >> >> Here is the dub log of the failed login machine (sshd) >> >> I think the relevant line is the very last one where it postpones the >> login for some reason >> >> Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 > > This message is in the other log as well and I think this is ok. > > Have you check if the keytab on the host with issue has the latest key > version? > > To check the call 'klist -k' as root on the server and then call 'kvno > host/...' with the principal shown in the klist output. Both kvno > numbers should be the same. If they differ call ipa-getkeytab on the > server to get a fresh keytab. Please note that you have to call kdestory > and kinit on the client to remove the old now invalid ticket from the > client's credential cache. > > HTH > > bye, > Sumit
It turns out this was something really basic. We had multiple DNS entries for this host, and the reverse entry did not match the DNS name I was connecting to the host with. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
