[Freeipa-users] red hat 5 and red hat 6 compatability

Dmitri Pal dpal at redhat.com
Wed May 2 18:57:24 UTC 2012 

On 05/02/2012 02:50 PM, Matthew Davidson wrote:
> Dmitri,
> 1) Do you have admin account on IPA side?
>
> Yes. And judging by the command below admin does log in, or am I mistaken?
>
> [root at rhel5 ~]# kinit admin
> Password for admin at EXAMPLE.COM:
>
> [root at rhel5 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 05/02/12 14:47:40  05/03/12 14:47:36  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>

Is this from the client or from the server? I bet on the server.
Rob might be right that the client fails to find the right
authentication server due to the DNS configuration.

> 2) Is there a firewall between client and server? Is LDAP and LDAPS
> allowed via the FW?
>
> No firewall. shut those down at the first sign of trouble.
>
> Thanks
> Matt
>
> ------------------------------------------------------------------------
> Date: Wed, 2 May 2012 13:51:15 -0400
> From: dpal at redhat.com
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
>
> On 05/02/2012 12:43 PM, Matthew Davidson wrote:
>
>     Hi Rob
>
>     [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
>     --server=rhel6.example.com
>     DNS domain 'example.com' is not configured for automatic KDC
>     address lookup.
>     KDC address will be set to fixed value.
>
>     Discovery was successful!
>     Hostname: rhel6.example.com
>     Realm: EXAMPLE.COM
>     DNS Domain: EXAMPLE.COM
>     IPA Server: rhel6.example.com
>     BaseDN: dc=example,dc=com
>
>     Continue to configure the system with these values? [no]: yes
>     User authorized to enroll computers: admin
>     Synchronizing time with KDC...
>     Password for admin at EXAMPLE.COM: <mailto:admin at EXAMPLE.COM:>
>
>     Enrolled in IPA realm EXAMPLE.COM
>     Created /etc/ipa/default.conf
>     Configured /etc/sssd/sssd.conf
>     Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
>     SSSD enabled
>     *Unable to find 'admin' user with 'getent passwd admin'!*
>
>
> 1) Do you have admin account on IPA side?
> 2) Is there a firewall between client and server? Is LDAP and LDAPS
> allowed via the FW?
>
>     Recognized configuration: SSSD
>     Changed configuration of /etc/ldap.conf to use hardcoded server
>     name: rhel6.example.com
>     NTP enabled
>     Client configuration complete.
>
>     /var/log/secure
>     May  2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from
>     192.168.1.5
>     May  2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid
>     user mdavidson
>     May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass;
>     user unknown
>     May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
>     authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>     rhost=rhel6.example.com
>     May  2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error
>     retrieving information about user mdavidson
>     May  2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user
>     mdavidson from 192.168.1.5 port 52511 ssh2
>
>     /var/log/sssd/ldap_child.log
>     (Wed May  2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
>     [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
>     not found in Kerberos database
>     (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
>     [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
>     not found in Kerberos database
>     (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
>     [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
>     not found in Kerberos database
>     (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
>     [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
>     not found in Kerberos database
>     (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
>     [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
>     not found in Kerberos database
>     (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
>     [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
>     not found in Kerberos database
>
>     /var/log/sssd/sssd.log
>     (Tue May  1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor
>     received Terminated: terminating children
>     (Wed May  2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor
>     received Terminated: terminating children
>
>     thanks for helping!
>     Matt
>
>     > Date: Wed, 2 May 2012 11:30:52 -0400
>     > From: rcritten at redhat.com <mailto:rcritten at redhat.com>
>     > To: matt at mldserviceslex.com <mailto:matt at mldserviceslex.com>
>     > CC: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>     > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
>     >
>     > Matthew Davidson wrote:
>     > > To clarify one point.
>     > >
>     > > I used the current redhat documents to setup the two systems.
>     > >
>     > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
>     > >
>     > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
>     > >
>     > > SSH does not seem to be discussed and that is when I started
>     web surfing
>     > > in an attempt to fix my problem before reaching out for help.
>     >
>     > A host service principal is created during enrollment so no
>     additional
>     > work should be needed for SSH to work. The problem you're having is
>     > related to the fact that user lookup services are failing.
>     >
>     > Can you look in /var/log/secure and/or /var/log/sssd/* to see if
>     there
>     > are any errors reported regarding sssd?
>     >
>     > What options did you pass to ipa-client-install?
>     >
>     > rob
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________ Freeipa-users mailing
> list Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.htm>

More information about the Freeipa-users mailing list