[Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones Steven.Jones at vuw.ac.nz
Wed Mar 9 19:45:20 UTC 2011 

I have setup a 2nd client I have the same result....but it looks like
the keytab is correct?  however LDAP logins still dont work...


Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ
   1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ
   1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ
   1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ


regards


On Tue, 2011-03-08 at 17:10 -0500, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/08/2011 04:40 PM, Steven Jones wrote:
> > On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote:
> >> Steven Jones wrote:
> >>> 8><------
> >>>
> >>>
> >>> So how do I fault find? where do I start?
> >>>
> >>> ie Where do I start to look to determine why a user cannot login to a
> >>> client via freeipa?
> >>>
> >>> How can I be more clear? because so far the replies have been not very
> >>> productive.
> >>>
> >>> regards
> >>>
> >>>
> >>
> >> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart
> >> sssd, and try your login again. Look
> >> in/var/log/sssd/sssd_example.com.log for information on the login attempt.
> >>
> >> Your uid/gid will likely differ.
> >>
> >> # getent passwd admin
> >> admin:*:264200000:264200000:Administrator:/home/admin:/bin/bash
> >> # id admin
> >> uid=264200000(admin) gid=264200000(admins) groups=264200000(admins)
> >> # getent group admins
> >> admins:*:264200000:admin
> >> # finger admin
> >> Login: admin                            Name: Administrator
> >> Directory: /home/admin                  Shell: /bin/bash
> >> Never logged in.
> >> No mail.
> >> No Plan.
> > 
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]]
> > [sss_krb5_verify_keytab_ex] (0): Principal
> > [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab
> > [default]
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
> > Could not verify keytab
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
> > (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
> > fatal error initializing data providers
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
> > initialize backend [14]
> > (Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]]
> > [sss_krb5_verify_keytab_ex] (0): Principal
> > [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab
> > [default]
> 
> 
> Well, here's your problem. The SSSD isn't starting up successfully
> because you don't have a host principal for this server in your
> /etc/krb5.keytab file. This was probably a bug in the ipa-client-install.
> 
> What does
> klist -k /etc/krb5.keytab
> return to you?
> 
> - -- 
> Stephen Gallagher
> RHCE 804006346421761
> 
> Delivering value year after year.
> Red Hat ranks #1 in value among software vendors.
> http://www.redhat.com/promo/vendor/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70
> HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai
> =R7BT
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list