[Freeipa-users] freeIPA bug: Kerberos clients fails taking to IPA server after ipa-client-install

[David Copperfield]

Hi folks,

 During migration existing Kerberos/LDAP setup clients to IPA, after 'ipa-client-install' command is run and reports successful migration, we found that the client fails to talk with IPA server.

 The symptom is: in the /var/log/messages file at IPA client side, we can see the following entries:

        Apr 30 11:07:04 ldapclient02 sssd: Starting up
        Apr 30 11:07:05 ldapclient02 sssd[be[pegaclouds.com]]: Starting up
        Apr 30 11:07:06 ldapclient02 sssd[pam]: Starting up
        Apr 30 11:07:06 ldapclient02 sssd[nss]: Starting up
        Apr 30 11:07:06 ldapclient02 [sssd[ldap_child[2133]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection.

 It is figured out that, instead of backup and overwrite /etc/krb5.keytab, ipa-client-install only appends the new generated host keytab entries to the same file /etc/krb5.keytab. Then when the original entries have a higher KVNO version than the newly generated siblings, the latter is shadowed and ignored.                        

 After manual removing the old entries from /etc/krb5.keytab with the tool ktutil (rkt, delent, wkt), the client immdiately connects to IPA server and problem goes away. It will be greatly appreciated if native ipa-rmkeytab can be extended to do the same job. 

Thanks.

--David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120430/4ee61227/attachment.htm>