[Freeipa-users] red hat 5 and red hat 6 compatability

Rob Crittenden rcritten at redhat.com
Wed May 2 18:27:08 UTC 2012 

Matthew Davidson wrote:
> Hi Rob
>
> [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> --server=rhel6.example.com
> DNS domain 'example.com' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: rhel6.example.com
> Realm: EXAMPLE.COM
> DNS Domain: EXAMPLE.COM
> IPA Server: rhel6.example.com
> BaseDN: dc=example,dc=com
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at EXAMPLE.COM:
>
> Enrolled in IPA realm EXAMPLE.COM
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> SSSD enabled
> *Unable to find 'admin' user with 'getent passwd admin'!*
> Recognized configuration: SSSD
> Changed configuration of /etc/ldap.conf to use hardcoded server name:
> rhel6.example.com
> NTP enabled
> Client configuration complete.
>
> /var/log/secure
> May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5
> May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user
> mdavidson
> May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user
> unknown
> May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com
> May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error
> retrieving information about user mdavidson
> May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user
> mdavidson from 192.168.1.5 port 52511 ssh2
>
> /var/log/sssd/ldap_child.log
> (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database

This is the key. sssd can't connect to the IPA server due to this 
Kerberos error which is why the user information is unavailable.

Am I right to to assume you have another Kerberos server (or AD) 
configured using the same realm name on your network? I have the feeling 
sssd is finding the wrong KDC.

rob

More information about the Freeipa-users mailing list