On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > > > Hello, > > > I am starting to see some issues with a few RHEL7 boxes I have been > enrolling to my RHEL 6 IPA server regarding encryption. > > > RHEL 7 client > Red Hat Enterprise Linux Server release 7.1 (Maipo) > sssd-ipa-1.12.2-58.el7_1.18.x86_64 > ipa-client-4.1.0-18.el7_1.4.x86_64 > > RHEL 6 Server > Red Hat Enterprise Linux Server release 6.8 (Santiago) > sssd-ipa-1.13.3-22.el6_8.4.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > > > The RHEL 7 client shows this in messages > > Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support > for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes KRB5_TRACE-level messages) so that we see what kind of crypto was used? > Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize > credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check > failed. Unable to create GSSAPI-encrypted LDAP connection. > > I am also not seeing host certs for them on the ipa server but I do see > them on the local box. > > [root@server1 pam.d]# ktutil Can you run klist -ke as well to see what encryption types are included in the keytab? Is it possible to run "kinit -k" on the client? > ktutil: rkt /etc/krb5.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 host/[email protected] > 2 1 host/[email protected] > 3 1 host/[email protected] > 4 1 host/[email protected] > ktutil: > > > I have one RHEL 7 box with no issues as it was just enrolled (missing host > certs in IPA though) and I compared and IPA ID login with a box not > working > Work > type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd" > hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed' > > vs > > Works > type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe" > exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh > res=success' > > Its almost as if the pam files are not being read? > > > > Sean Hogan > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
