<html><body>Hi Jakub, Thanks... here is output klist -ke [root@server1 rusers]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) kinit -k odd though as kinit -k seems to fail but kinit with admin seems to work indicating I can hit the KDC even though kinit -k says I cannot? [root@server1 pam.d]# kinit -k server1 kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while getting initial credentials [root@server1 pam.d]# kinit -k server1.IPA.LOCAL kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL while getting initial credentials [root@server1 pam.d]# kinit admin Password for admin@ipa.local: [root@server1 pam.d]# [root@server1 pam.d]# klist Ticket cache: KEYRING:persistent:1111111111:1111111111 Default principal: admin@IPA.LOCAL Valid starting Expires Service principal 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/IPA.LOCAL@IPA.LOCAL [root@server1 pam.d]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 host/server1.ipa.local@IPA.LOCAL 2 1 host/server1.ipa.local@IPA.LOCAL 3 1 host/server1.ipa.local@IPA.LOCAL 4 1 host/server1.ipa.local@IPA.LOCAL Added debug_level = 10 on the domain section of sssd.conf and restarted is all I see [root@server1 sssd]# cat ldap_child.log (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type (Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program lacks support for encryption type Additonal: [root@server1 rusers]# systemctl -l status sssd.service sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Drop-In: /etc/systemd/system/sssd.service.d ДАjournal.conf Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 3042 (sssd) CGroup: /system.slice/sssd.service ЖА3042 /usr/sbin/sssd -D -f ЖА3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0 --debug-to-files ЖА3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files ЖА3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files ЖА3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files ЖА3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files ДА3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security Services Daemon. Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. [root@server1 rusers]# Seeing this in /var/log/sssd/sssd_ipa.local.log (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init] (0x0010): fatal error initializing data providers (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could not initialize backend [14] (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [select_principal_from_keytab] (0x0010): Failed to read keytab [default]: Bad address (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module] (0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! This is also strange but might be side effect I assume.. we mount NFS v4 home dir with automount for central homes and profiles.. on the boxes having this issue some of the IDs show just the UID numbers/GID numebrs where some of the IDs actually show the UID name/GID name. We have over 2k servers showing the UID name/GID name with no issues.. just the boxes having this issue. Sean Hogan <img src="cid:1__=88BB0AFEDFC754E38f9e8a93df938690918c88B@" width="67" height="53" align="top"> <img src="cid:2__=88BB0AFEDFC754E38f9e8a93df938690918c88B@" width="60" height="51" align="top"> <img width="16" height="16" src="cid:3__=88BB0AFEDFC754E38f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: ">Jakub Hrozek ---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > From: Jakub Hrozek <jhrozek@redhat.com> To: freeipa-users@redhat.com Date: 11/16/2016 02:29 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <tt>On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: > > > Hello, > > > I am starting to see some issues with a few RHEL7 boxes I have been > enrolling to my RHEL 6 IPA server regarding encryption. > > > RHEL 7 client > Red Hat Enterprise Linux Server release 7.1 (Maipo) > sssd-ipa-1.12.2-58.el7_1.18.x86_64 > ipa-client-4.1.0-18.el7_1.4.x86_64 > > RHEL 6 Server > Red Hat Enterprise Linux Server release 6.8 (Santiago) > sssd-ipa-1.13.3-22.el6_8.4.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > > > The RHEL 7 client shows this in messages > > Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support > for encryption type Could you post a more verbose ldap_child log (debug_level=10 includes KRB5_TRACE-level messages) so that we see what kind of crypto was used? > Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize > credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check > failed. Unable to create GSSAPI-encrypted LDAP connection. > > I am also not seeing host certs for them on the ipa server but I do see > them on the local box. > > [root@server1 pam.d]# ktutil Can you run klist -ke as well to see what encryption types are included in the keytab? Is it possible to run "kinit -k" on the client? > ktutil: rkt /etc/krb5.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 host/server1.ipa.local@IPA.LOCAL > 2 1 host/server1.ipa.local@IPA.LOCAL > 3 1 host/server1.ipa.local@IPA.LOCAL > 4 1 host/server1.ipa.local@IPA.LOCAL > ktutil: > > > I have one RHEL 7 box with no issues as it was just enrolled (missing host > certs in IPA though) and I compared and IPA ID login with a box not > working > </tt><tt>NOT Work</tt><tt> > type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd" > hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed' > > vs > > Works > type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe" > exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh > res=success' > > Its almost as if the pam files are not being read? > > > > Sean Hogan > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> > Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project -- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project </tt> </body></html>