[Freeipa-devel] sshd, gssapi postinstall cleanup
Simo Sorce
ssorce at redhat.com
Thu Jan 3 22:26:39 UTC 2008
On Wed, 2008-01-02 at 16:21 -0500, John Dennis wrote:
> I lost my ability to ssh into one of the boxes I had IPA installed on.
> I'm not currently testing IPA on that box anymore so I disabled many of
> the IPA services and reset my /etc/krb5.conf file back to it's original
> content (pointing to our corporate KDC). When I tried to ssh in the
> connection would appear to hang, so I ran ssh in verbose mode and
> discovered it was hanging while attempting GSSAPI authentication. I'm
> perplexed as to why and I'm wondering if something in the IPA
> installation might have done something (I believe each IPA rpm had been
> installed, but only the server install script had been run). Here are
> the relevant facts:
>
> * kerberos works fine, only our corporate KDC is configured.
>
> * disabling gssapi auth in /etc/ssh/sshd.conf makes the problem go away
> (but gssapi auth is enabled by default, so disabling this is non-standard).
>
> * local logons work
>
> * /etc/nsswitch.conf has only "files" for passwd,shadow,group
>
> * pam ssh points to pam system-auth
>
> * pam system-auth is normal
>
> * /etc/gssapi_mech.conf seems normal (?)
>
> * the local IPA KDC is shutdown and there is no reference to it in krb5.conf
>
> So, any ideas as to why sshd on that box would hang as it attempted
> gssapi auth and how might a previous IPA install be responsible for that?
I bet you have a /etc/krb5.keytab file left over from latest IPA
installations.
Simo.
More information about the Freeipa-devel
mailing list