<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1547260431;
mso-list-type:hybrid;
mso-list-template-ids:1190033810 1368180350 201916419 201916421 201916417 201916419 201916421 201916417 201916419 201916421;}
@list l0:level1
{mso-level-start-at:62;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">I just recently updated one of our test servers from CentOS 6.5 to CentOS 6.6, after which I noticed that IPA logons were no longer available. From what I can see the upgrade includes quite a few changes with regard to
sssd.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US" style="mso-fareast-language:EN-AU"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="mso-fareast-language:EN-AU">NTP is up and synced on the Auth servers and the client.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US" style="mso-fareast-language:EN-AU"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="mso-fareast-language:EN-AU">DNS is working to the IPA servers<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="mso-fareast-language:EN-AU">I can do a kinit for users with no problem</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="mso-fareast-language:EN-AU">I have uninstalled the ipa client, deleted the host profile on the IPA server and one a rejoin. The rejoin worked but the problem is the same.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Software versions using <o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">rpm -qa | grep -i ipa<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">rpm -qa | grep -i sssd<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Software versions before:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">libipa_hbac-1.9.2-129.el6_5.4.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">device-mapper-multipath-0.4.9-72.el6_5.4.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">libipa_hbac-python-1.9.2-129.el6_5.4.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ipa-python-3.0.0-37.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ipa-client-3.0.0-37.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">device-mapper-multipath-libs-0.4.9-72.el6_5.4.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-1.9.2-129.el6_5.4.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-client-1.9.2-129.el6_5.4.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Software version after:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-ipa-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">libipa_hbac-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">device-mapper-multipath-libs-0.4.9-80.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ipa-client-3.0.0-42.el6.centos.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">libipa_hbac-python-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ipa-python-3.0.0-42.el6.centos.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">device-mapper-multipath-0.4.9-80.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-ldap-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-ad-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">python-sssdconfig-1.11.6-30.el6.noarch<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-client-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-krb5-common-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-ipa-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-common-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-proxy-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-common-pac-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-krb5-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sssd-1.11.6-30.el6.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The /var/log/secure logs show the following<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">Oct 31 10:38:30 test01 sshd[2790]: Invalid user dtaylor from <ip removed><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">Oct 31 10:38:30 test01 sshd[2791]: input_userauth_request: invalid user dtaylor<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): check pass; user unknown<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<host removed><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">Oct 31 10:38:30 test01 sshd[2790]: pam_succeed_if(sshd:auth): error retrieving information about user dtaylor<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The /var/log/audit/audit.log logs show the following<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=CRYPTO_KEY_USER msg=audit(1414715857.270:107): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5831
suid=0 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=CRYPTO_KEY_USER msg=audit(1414715857.270:108): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5831
suid=0 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=CRYPTO_SESSION msg=audit(1414715857.272:109): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=<Client
ip removed> lport=22 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=CRYPTO_SESSION msg=audit(1414715857.272:110): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=<Client
ip removed> lport=22 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=USER_LOGIN msg=audit(1414715857.310:111): user pid=5830 uid=0 auid=0 ses=1 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh
res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=USER_AUTH msg=audit(1414715859.211:112): user pid=5830 uid=0 auid=0 ses=1 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=<hostname removed> addr=<ip removed>
terminal=ssh res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=USER_AUTH msg=audit(1414715859.212:113): user pid=5830 uid=0 auid=0 ses=1 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh
res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=CRYPTO_KEY_USER msg=audit(1414715862.076:114): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=session fp=? direction=both spid=5831 suid=74 rport=44361 laddr=<Client ip removed>
lport=22 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=CRYPTO_KEY_USER msg=audit(1414715862.078:115): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5830
suid=0 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=CRYPTO_KEY_USER msg=audit(1414715862.079:116): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5830
suid=0 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">type=USER_LOGIN msg=audit(1414715862.079:117): user pid=5830 uid=0 auid=0 ses=1 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh
res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The /var/log/sssd/</span><span lang="EN-US" style="mso-fareast-language:EN-AU">sssd_<IPA Svr IP removed>.log</span><span lang="EN-US"> logs show the following<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">==> /var/log/sssd/sssd_<IPA Svr IP removed>.log <==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_dispatch] (0x4000): dbus conn: 0x16699b0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_dispatch] (0x4000): Dispatching.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-AU">(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]<o:p></o:p></span></p>
</div>
</body>
</html>