<div dir="ltr">I had faced a similar issue a month ago, for which I had created a ticket. <a href="https://fedorahosted.org/freeipa/ticket/4956">https://fedorahosted.org/freeipa/ticket/4956</a></div><div class="gmail_extra"> <div class="gmail_quote">On Fri, Jun 5, 2015 at 7:30 AM, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, 05 Jun 2015, Christopher Lamb wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Martin Thanks for updating the documenation! The suggested solution works not only my test servers, but also "in the real world". This morning I migrated the last production server (ipa host) to the new FreeIPA KDC. Just out of idle curiosity, why is the rm -f /var/lib/sss/db/* step required on our EL 7.1 + ipa-client 4.1 boxes, but not on our older EL 6.5 + ipa-client 3.3.3 machines? Is the problem down to sssd? (on the EL 6.5 machines we are running sssd 1.9.2, while on EL 7.1 we have sssd 1.12.2 </blockquote> I think there are more object types supported by newer SSSD versions which aren't invalidated like users or groups.<div class="HOEnZb"><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Cheers Chris From: Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> To: Christopher Lamb/Switzerland/IBM@IBMCH, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>, <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Cc: Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> Date: 05.06.2015 08:06 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved On 06/04/2015 07:34 PM, Christopher Lamb wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi All I can now report back success (at least on my throwaway EL7.1 test VM). To switch an EL 7.1 + ipa-client 4.1 host from an old FreeIPA 3.3.3 KDC </blockquote> to <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> a new FreeIPA 4.1 KDC 3 steps are required: 1) ipa-client-install --uninstall 2) rm -f /var/lib/sss/db/* 3) ipa-client-install --server <a href="http://ldap.my.example.com" target="_blank">ldap.my.example.com</a> --domain </blockquote> <a href="http://my.example.com" target="_blank">my.example.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> -N Having done this, my free-ipa user successfully authenticates (e.g. ssh remote login with free-ipa user / password To switch EL 6.5 + ipa-client 3.3.3 hosts step 2) was not required. Kudos and thanks go to Rob C for suggesting step 2. (Note that the directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as suggested earlier in this thread. </blockquote> Cool! Thanks for reaching back. I added this advice to the FreeIPA Troubleshooting guide too: <a href="http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client" target="_blank">http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_on_client</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Cheers Chris From: Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> To: Christopher Lamb/Switzerland/IBM@IBMCH, <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Cc: Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>>, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> Date: 03.06.2015 10:39 Subject: Re: [Freeipa-users] Fw: ssh problem with migrated </blockquote> FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client on EL7.1 -->Not Solved On 06/03/2015 10:30 AM, Christopher Lamb wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi all This is a quick(ish) note to bring everybody up to speed on this issue. Yesterday we had some private mail exchange on this issue as I did not </blockquote> wish <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> to broadcast the krb5 and ipa install logs to the user list. The basic situation is that we are in the process of migrating from an FreeIPA 3.3.3 Server (KDC) to a new FreeIPA 4.1 Server (KDC). As </blockquote> discussed <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> in a thread some weeks ago we did not do this by replicating (as perhaps </blockquote> we <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> should have done). Instead we migrated the users across. We have 30+ servers that are IPA clients ("Hosts" in ipa-speak) joined </blockquote></blockquote> to <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> the old KDC. We are now in the process of migrating these hosts to the </blockquote> new <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 4.1 KDC. Most of the hosts run EL 6.5 + ipa-client 3.3.3. For all of these </blockquote> joining <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> to the new KDC was trouble free, taking a few minutes each. After </blockquote></blockquote> joining <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> the new KDC FreeIPA users authenticated properly. We also had a small number of new EL 7.1 + ipa-client 4.1 hosts that </blockquote></blockquote> were <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> joined direct to the new 4.1 KDC, never having been joined of the 3.3.3 KDC. These were also trouble free. The problem occurs with a handful of existing EL 7.1 +ipa-client 4.1 </blockquote> hosts <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> that were originally joined to the 3.3.3 KDC, and must be moved to join </blockquote> the <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 4.1 KDC. These machines no longer authenticate valid FreeIPA users. I </blockquote> have <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> been able to reproduce this behaviour with a freshly setup VM joined </blockquote> first <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> to the 3.3.3 KDC, then moved to the 4.1 KDC. While the errors show in the krb5 child logs indicate that the password </blockquote> is <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> incorrect, the same user / password is happily accepted by all the other hosts. It seems that in the process of moving / migrating the EL 7.1 / </blockquote> ipa-client <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 4.1 from the old KDC to the new KDC, "something" is left behind that </blockquote> causes <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> problems. We have seen indications in the install logs that the kinit </blockquote> steps <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> called during ipa-client install are getting responses from the wrong </blockquote> (old) <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> KDC, and not from the new KDC. Frustratingly. over the weekend i managed to get one of the problem EL </blockquote> 7.1 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> boxes to work. However I can't work out exactly what I was that I did </blockquote> that <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> did the trick. However it seems that some kind of major de-install / cleanup + reinstall of the ipa-client may be needed. Rob has suggested that as part of such a cleanup I should do "rm -f /var/lib/sssd/db/*". I will test this later today and report back. Thanks to Rob, Jakub, Martin, Alexander et al for their help and suggestions so far. Chris </blockquote> Thanks for the background. The pain you are getting is exactly the reason why migration via replication to RHEL-7.1 is a better choice :-) Please let </blockquote> us <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> know the result, I am curious how this works out. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> From: Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> To: Christopher Lamb/Switzerland/IBM@IBMCH, <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> Date: 03.06.2015 09:34 Subject: Re: [Freeipa-users] Fw: ssh problem with </blockquote></blockquote> migrated <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client on EL7.1 -->Not Solved On 06/02/2015 06:15 PM, Christopher Lamb wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the </blockquote></blockquote> cause <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> of this problem. Let's call them HOST09 and HOST10 Both are mimimum installs of EL7.1, with NTPD installed and configured. HOST09 had ipa-client 4.1 installed via yum, and was configured to use </blockquote> our <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> new FreeIPA 4.1 server, right from the start. --> My FreeIPA user authenticates successfully against this machine. HOST10 had ipa-client 4.1 installed as a dependency of one of our </blockquote> standard <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> config packages, and was first set to use our old FreeIPA 3.3.3 server. </blockquote> --> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> My FreeIPA user authenticates successfully. against this machine. I then de-registered HOST10 from the FreeIPA 3.1 server, and registered against the new FreeIPA 4.1 server --> My FreeIPA users does NOT authenticate successfully. This replicates well the behaviour I saw with my production servers, </blockquote> namely <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> a) EL 7.1 hosts with ipa-client 4.1 registered directly against the new </blockquote> 4.1 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> FreeIPA server authenticate properly. b) EL 7.1 hosts with ipa-client 4.1 first registered against the old </blockquote> 3.3.3 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> FreeIPA server, then reregistered with the new 4.1 FreeIPA server do </blockquote></blockquote></blockquote> NOT <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> authenticate properly Chris </blockquote> Hello, This is really strange. What I do not fully understand is what is the "registration against a FreeIPA server". What server you install IPA </blockquote> client <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> should matter if the deployment is set up properly. The host enrollment entry should simply replicate to whole infrastructure. The only thing that </blockquote></blockquote> will <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> probably differ is sssd.conf and krb5.conf as they will have different primary server set up, based on what your DNS setup is. It rather seems that the "reregistration" is what causes the issue. It looks like something cleanup problem during the process. I will let Jakub to </blockquote> help <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> here, I would suggest including the SSSD logs from the failed login, it </blockquote> may <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> help. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 16:52 ----- From: Christopher </blockquote></blockquote></blockquote> Lamb/Switzerland/IBM@IBMCH <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> To: Jakub Hrozek </blockquote></blockquote></blockquote> <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Cc: </blockquote></blockquote></blockquote> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Date: 02.06.2015 10:40 Subject: Re: </blockquote></blockquote></blockquote> [Freeipa-users] Fw: ssh problem with <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> migrated <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client on EL7.1 -->Not Solved Sent by: </blockquote></blockquote></blockquote> <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Jakub Yes root login works, that's how I've been getting into the box. Surprisingly, kinit with my user seems to work on that box. After </blockquote> entering <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> my password when prompted, it returns to the commandline without error. However if I try kinit with another FreeIPA user, then instead of </blockquote> prompting <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> for a password, it gives "Generic preauthentication failure while </blockquote></blockquote> getting <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> initial credentials" error. Having set debug_level=10, when I try and ssh in with my FreeIPA user, </blockquote></blockquote></blockquote> I <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> find errors like "Retrieving host .... with result: .. Matching credential not found" "Received error from KDC ... Additional pre-authentication required" "Received error from KDC... Decrypt integrity check failed" "Received error code 1432158219" Cheers Chris From: </blockquote></blockquote></blockquote> Jakub Hrozek <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> To: </blockquote></blockquote></blockquote> Christopher <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Lamb/Switzerland/IBM@IBMCH <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Cc: </blockquote></blockquote> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Date: </blockquote></blockquote></blockquote> 02.06.2015 09:50 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Subject: </blockquote></blockquote></blockquote> Re: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> [Freeipa-users] Fw: ssh problem with <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> migrated <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> FreeIPA client on EL7.1 -->Not Solved On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Jakub The same user / password works with all our FreeIPA hosts - just this </blockquote></blockquote> one <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> box is the problem. So the password should be good. Of course a type </blockquote></blockquote></blockquote></blockquote> is <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> always possible (especially for strong passwords), but I have tried </blockquote></blockquote></blockquote> many <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> times which should eliminate the odd password typo. The user / </blockquote></blockquote></blockquote></blockquote> password <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> should also be good for both the old and the new FreeIPA Server. </blockquote> Interesting, can you add debug_level=10 to the domain section of sssd.conf? Then krb5_child.log should show Kerberos tracing info including which exact KDC SSSD was talking to. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> As I can neither log in direct, or via ssh to this box with my FreeIPA user, I assume Kinit with my user won't work- i will try later in the </blockquote> day. Well, login as a UNIX user (root) should work.. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> My working assumption is that the problem is related in some way to </blockquote></blockquote></blockquote></blockquote> the <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> fact the host originally was a FreeIPA 3.3.3 client, updated to </blockquote></blockquote></blockquote></blockquote> FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 4.1, and switched between 2 FreeIPA servers. I am currently setting up </blockquote></blockquote></blockquote> 2 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> throwaway EL 7.1 VMs to better test this. On one I will first install 3.3.3, then upgrade to 4.1. The second will have a direct install of </blockquote></blockquote></blockquote> 4.1 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client. Cheers Chris From: </blockquote></blockquote></blockquote> Jakub Hrozek <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> To: </blockquote></blockquote> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Date: </blockquote></blockquote></blockquote> 02.06.2015 09:22 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Subject: </blockquote></blockquote></blockquote> Re: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> [Freeipa-users] Fw: ssh problem with <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> migrated FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client on EL7.1 -->Not Solved Sent by: </blockquote></blockquote> <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi All Bad news. Over the weekend I was able to get the original problem EL7.1 / </blockquote></blockquote></blockquote></blockquote> FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 4.1 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> host (FreeIPA client) to authenticate FreeiPA users (my test being </blockquote></blockquote></blockquote></blockquote></blockquote> ssh <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> remote login with FreeIPA user and password). Today I tried a second machine, and had the same problem, ssh </blockquote></blockquote> connections <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity </blockquote> check <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> failed" </blockquote> This really just means wrong password, can you kinit as that user </blockquote></blockquote></blockquote></blockquote> using <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> the same password? <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Ahh I thought, I have a solution for that: just remove ipa-client and reinstall via yum, register with the new FreeIPA server .... Only with this second machine I still can't ssh in with a FreeIPA </blockquote></blockquote></blockquote></blockquote> user. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Argg..... b.t.w, as this machine is a real physical server, I was able to try </blockquote> logging <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> in direct with my FreeIPA user --> "Authentication Failure" I now have * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the </blockquote></blockquote> old <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> FreeIPA server to the new without a hitch (i.e. they successfully authenticate FreeIPA users.) * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, </blockquote></blockquote></blockquote></blockquote> but <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> with problems * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all </blockquote></blockquote></blockquote></blockquote> attempts <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> to <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> authenticate with a FreeIPA user * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the </blockquote></blockquote> new <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> FreeIPA server, and successfully authenticates FreeIPA users. Any ideas? Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 </blockquote></blockquote></blockquote></blockquote> 19:17 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> ----- From: </blockquote></blockquote></blockquote> </blockquote></blockquote> Christopher <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Lamb/Switzerland/IBM@IBMCH <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> To: </blockquote></blockquote></blockquote> </blockquote></blockquote> Alexander Bokovoy <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>, <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Date: </blockquote></blockquote></blockquote> </blockquote></blockquote> 30.05.2015 18:52 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Subject: </blockquote></blockquote></blockquote> </blockquote></blockquote> Re: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> [Freeipa-users] ssh problem with migrated FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client on <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> EL7.1 --> Solved Sent by: </blockquote></blockquote> <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi All It gives me pleasure to report the problem is solved - a minute ago I </blockquote></blockquote> was <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> able to login via ssh with my FreeIPA user to the problem server, </blockquote></blockquote></blockquote></blockquote> while <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> sitting on my terrace with a glass of wine! Thanks to Alexander for his helpful advice - we had some mail </blockquote></blockquote></blockquote></blockquote></blockquote> exchange <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> outside the user list as I did not wish to broadcast content of keys, config files etc. Regardless of what I did with commands like klist, kvno everything </blockquote></blockquote> seemed <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> "ok", but I still could not ssh in. Even a ipa-getkeytab did not </blockquote></blockquote></blockquote></blockquote></blockquote> help. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Therefore I decided to opt for brute force and (partial) ignorance. I completely uninstalled the FreeIPA client, and then reinstalled, </blockquote> configured <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> - ét voilà I could ssh in! This leaves the enigma: what caused the problem? I suspect the </blockquote></blockquote> following: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> The host is an EL 7.1, but the first FreeIPA client installed was </blockquote></blockquote> version <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 3.3.3 (installed as set of standard packages that we bung on all our servers). This worked fine to authenticate against our "old" 3.x FreeIPA </blockquote></blockquote></blockquote></blockquote></blockquote> server, <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> but <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> did not work against the "new" 4.1 FreeIPA Server. When I realised I could not ssh in, one of the first things I did was </blockquote></blockquote> to <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not </blockquote></blockquote> help. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> The solution was to yum remove the FreeIPA client, then yum install </blockquote></blockquote></blockquote></blockquote> the <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 4.1 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client. I have some more EL 7.1 servers with the FreeIPA 3.3.3 client </blockquote></blockquote> installed, <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> so <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> it will be interesting to see it the problem can be reproduced. Keep up the good work, Chris From: </blockquote></blockquote> </blockquote></blockquote> Alexander Bokovoy <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> To: </blockquote></blockquote> </blockquote></blockquote> Christopher <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Lamb/Switzerland/IBM@IBMCH <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Cc: </blockquote></blockquote> <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Date: </blockquote></blockquote> </blockquote></blockquote> 29.05.2015 18:04 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Subject: </blockquote></blockquote> </blockquote></blockquote> </blockquote> Re: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> [Freeipa-users] ssh problem with <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> migrated FreeIPA <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> client on EL7.1 On Fri, 29 May 2015, Christopher Lamb wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi All Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to </blockquote></blockquote> replace <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully </blockquote></blockquote></blockquote> migrated <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> across the users. We have 50 odd Servers that are FreeIPA clients. Today I started </blockquote></blockquote> migrating <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> these one-by-one from the old FreeIPA 3.x server to the new FreeIPA </blockquote></blockquote></blockquote></blockquote></blockquote></blockquote> 4 <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> server by doing an ipa-client-install --uninstall from the old, and ipa-client-install to register with the new 4.1.0 server. Most of the FreeIPA clients are running OEL 6.5, and for these the migration process above worked perfectly. After migrating the </blockquote></blockquote></blockquote></blockquote></blockquote></blockquote> server, <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> could ssh in with my FreeIPA user. Then I migrated an OEL 7.1 server. The migration itself seemed to </blockquote></blockquote></blockquote> work, <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> and <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> getent passwd was successful for my FreeIPA user. However when I try </blockquote></blockquote></blockquote> and <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> ssh in, my FreeIPA user / password is not accepted. Before the migration I could ssh into the problem server (though </blockquote></blockquote> evidently <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> it was using my FreeIPA user from the old FreeIPA server). I can ssh in with a local (non ldap) user, so ssh is running and </blockquote></blockquote> working. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> >From user root I can successfully su to my FreeIPA user. Further investigation showed that version of ipa-client installed </blockquote></blockquote></blockquote></blockquote></blockquote></blockquote> was <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 3.3.3, so I yum updated this to 4.1.0. However I still cannot ssh into the OEL 7.1 box with my FreeIPA </blockquote></blockquote></blockquote></blockquote></blockquote></blockquote> user. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> The <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> same user continues to work for the 6.5 boxes. A colleague tried to ssh in with his FreeIPA user, and was also </blockquote></blockquote> rejected, <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> so the problem is not my user, but is probably for all FreeIPA </blockquote></blockquote></blockquote></blockquote></blockquote></blockquote> users. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> A failed ssh login attempt causes the following error </blockquote></blockquote> in /var/log/messages <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> [sssd[krb5_child[5393]]]: Decrypt integrity check failed </blockquote> It means /etc/krb5.keytab contains keys from older system and SSSD picks them up. Can you show output of 'klist -kKet'? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> </blockquote> </blockquote> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </div></div></blockquote></div> </div>