<html><body>Yes sir... I added the kinit kts in the previous thinking it was needed. <tt>> [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting > initial credentials > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials</tt> Sean Hogan <img src="cid:1__=88BB0AFEDFF04D248f9e8a93df938690918c88B@" width="67" height="53" align="top"> <img src="cid:2__=88BB0AFEDFF04D248f9e8a93df938690918c88B@" width="60" height="51" align="top"> <img width="16" height="16" src="cid:3__=88BB0AFEDFF04D248f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Martin Babinsky ---11/16/2016 10:54:32 AM---On 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listi">Martin Babinsky ---11/16/2016 10:54:32 AM---On 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listing ouput of klist -e and klist -ke... but k From: Martin Babinsky <mbabinsk@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users@redhat.com, Jakub Hrozek <jhrozek@redhat.com> Date: 11/16/2016 10:54 AM Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <tt>On 11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not > seem to be working if I have it right.. kinit -kt is more promising but > still fails > > > *Klists* > > [root@server1 read]# klist -e > Ticket cache: KEYRING:persistent:111111111:11111111111 > Default principal: admin@ipa.local > > Valid starting Expires Service principal > 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/ipa.local@IPA.LOCAL > Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > > [root@server1 read]# klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) > 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) > 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) > > > > *Kinits * > > [root@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local' > Extra arguments (starting with "host/server1.ipa.local"). > Usage: kinit [-V] [-l lifetime] [-s start_time] > [-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C] > [-E] > [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] > [-S service_name] [-T ticket_armor_cache] > [-X <attribute>[=<value>]] [principal] > > options: -V verbose > -l lifetime > -s start time > -r renewable lifetime > -f forwardable > -F not forwardable > -p proxiable > -P not proxiable > -n anonymous > -a include addresses > -A do not include addresses > -v validate > -R renew > -C canonicalize > -E client is enterprise principal name > -k use keytab > -i use default client keytab (with -k) > -t filename of keytab to use > -c Kerberos 5 cache name > -S service > -T armor credential cache > -X <attribute>[=<value>] > > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting > initial credentials > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials > > > Sean Hogan > > > > > > > > Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On > 11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky > ---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: > > Hi Jakub, > > From: Martin Babinsky <mbabinsk@redhat.com> > To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhrozek@redhat.com> > Cc: freeipa-users@redhat.com > Date: 11/16/2016 09:33 AM > Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server > > ------------------------------------------------------------------------ > > > > On 11/16/2016 05:14 PM, Sean Hogan wrote: >> Hi Jakub, >> >> Thanks... here is output >> >> >> *klist -ke* >> [root@server1 rusers]# klist -ke >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 host/server1.ipa.local@IPA.LOCAL (aes256-cts-hmac-sha1-96) >> 1 host/server1.ipa.local@IPA.LOCAL (aes128-cts-hmac-sha1-96) >> 1 host/server1.ipa.local@IPA.LOCAL (des3-cbc-sha1) >> 1 host/server1.ipa.local@IPA.LOCAL (arcfour-hmac) >> >> >> >> *kinit -k odd though as kinit -k seems to fail but kinit with admin >> seems to work indicating I can hit the KDC even though kinit -k says I >> cannot?* >> >> [root@server1 pam.d]# kinit -k server1 >> kinit: Keytab contains no suitable keys for server1@IPA.LOCAL while >> getting initial credentials >> [root@server1 pam.d]# kinit -k server1.IPA.LOCAL >> kinit: Keytab contains no suitable keys for server1.IPA.LOCAL@IPA.LOCAL >> while getting initial credentials > You need to specify full principal name as printed from klist command, > i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local > >> [root@server1 pam.d]# kinit admin >> Password for admin@ipa.local: >> [root@server1 pam.d]# >> [root@server1 pam.d]# klist >> Ticket cache: KEYRING:persistent:1111111111:1111111111 >> Default principal: admin@IPA.LOCAL >> >> Valid starting Expires Service principal >> 11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/IPA.LOCAL@IPA.LOCAL >> >> [root@server1 pam.d]# ktutil >> ktutil: rkt /etc/krb5.keytab >> ktutil: l >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 1 host/server1.ipa.local@IPA.LOCAL >> 2 1 host/server1.ipa.local@IPA.LOCAL >> 3 1 host/server1.ipa.local@IPA.LOCAL >> 4 1 host/server1.ipa.local@IPA.LOCAL >> >> >> >> *Added debug_level = 10 on the domain section of sssd.conf and restarted >> is all I see* >> [root@server1 sssd]# cat ldap_child.log >> (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program >> lacks support for encryption type >> (Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program >> lacks support for encryption type >> (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program >> lacks support for encryption type >> (Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program >> lacks support for encryption type >> (Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program >> lacks support for encryption type >> (Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program >> lacks support for encryption type >> >> >> >> >> *Additonal:* >> >> [root@server1 rusers]# systemctl -l status sssd.service >> sssd.service - System Security Services Daemon >> Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) >> Drop-In: /etc/systemd/system/sssd.service.d >> ДАjournal.conf >> Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago >> Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited, > status=0/SUCCESS) >> Main PID: 3042 (sssd) >> CGroup: /system.slice/sssd.service >> ЖА3042 /usr/sbin/sssd -D -f >> ЖА3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0 >> --debug-to-files >> ЖА3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files >> ЖА3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files >> ЖА3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files >> ЖА3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files >> ДА3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files >> >> Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up >> Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up >> Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up >> Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up >> Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up >> Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up >> Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up >> Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security >> Services Daemon. >> Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed >> to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: >> Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP >> connection. >> [root@server1 rusers]# >> >> Seeing this in /var/log/sssd/sssd_ipa.local.log >> >> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init] >> (0x0010): fatal error initializing data providers >> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could >> not initialize backend [14] >> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] >> [select_principal_from_keytab] (0x0010): Failed to read keytab >> [default]: Bad address >> (Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module] >> (0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! >> >> This is also strange but might be side effect I assume.. we mount NFS v4 >> home dir with automount for central homes and profiles.. on the boxes >> having this issue some of the IDs show just the UID numbers/GID numebrs >> where some of the IDs actually show the UID name/GID name. We have over >> 2k servers showing the UID name/GID name with no issues.. just the boxes >> having this issue. >> >> >> >> Sean Hogan >> >> >> >> >> >> >> Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On >> Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek >> ---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700, >> Sean Hogan wrote: > >> >> From: Jakub Hrozek <jhrozek@redhat.com> >> To: freeipa-users@redhat.com >> Date: 11/16/2016 02:29 AM >> Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server >> Sent by: freeipa-users-bounces@redhat.com >> >> ------------------------------------------------------------------------ >> >> >> >> On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: >>> >>> >>> Hello, >>> >>> >>> I am starting to see some issues with a few RHEL7 boxes I have been >>> enrolling to my RHEL 6 IPA server regarding encryption. >>> >>> >>> RHEL 7 client >>> Red Hat Enterprise Linux Server release 7.1 (Maipo) >>> sssd-ipa-1.12.2-58.el7_1.18.x86_64 >>> ipa-client-4.1.0-18.el7_1.4.x86_64 >>> >>> RHEL 6 Server >>> Red Hat Enterprise Linux Server release 6.8 (Santiago) >>> sssd-ipa-1.13.3-22.el6_8.4.x86_64 >>> ipa-server-3.0.0-50.el6.1.x86_64 >>> >>> >>> The RHEL 7 client shows this in messages >>> >>> Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support >>> for encryption type >> >> Could you post a more verbose ldap_child log (debug_level=10 includes >> KRB5_TRACE-level messages) so that we see what kind of crypto was used? >> >>> Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize >>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity >> check >>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>> >>> I am also not seeing host certs for them on the ipa server but I do see >>> them on the local box. >>> >>> [root@server1 pam.d]# ktutil >> >> Can you run klist -ke as well to see what encryption types are included >> in the keytab? >> >> Is it possible to run "kinit -k" on the client? >> >>> ktutil: rkt /etc/krb5.keytab >>> ktutil: l >>> slot KVNO Principal >>> ---- ---- >>> --------------------------------------------------------------------- >>> 1 1 host/server1.ipa.local@IPA.LOCAL >>> 2 1 host/server1.ipa.local@IPA.LOCAL >>> 3 1 host/server1.ipa.local@IPA.LOCAL >>> 4 1 host/server1.ipa.local@IPA.LOCAL >>> ktutil: >>> >>> >>> I have one RHEL 7 box with no issues as it was just enrolled (missing > host >>> certs in IPA though) and I compared and IPA ID login with a box not >>> working >>> *NOT Work* >>> type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0 >>> auid=4294967295 ses=4294967295 >> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 >>> msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd" >>> hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed' >>> >>> vs >>> >>> Works >>> type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0 >>> auid=4294967295 ses=4294967295 >> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 >>> msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit > acct="janedoe" >>> exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh >>> res=success' >>> >>> Its almost as if the pam files are not being read? >>> >>> >>> >>> Sean Hogan >>> >>> >>> >>> >>> >>> >> >> >> >> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> >>> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> >> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project >> >> >> >> >> >> > > > -- > Martin^3 Babinsky > > > > -- Martin^3 Babinsky </tt> </body></html>