[Freeipa-users] red hat 5 and red hat 6 compatability
Matthew Davidson
matt at mldserviceslex.com
Wed May 2 20:37:23 UTC 2012
"
Is this from the client or from the server? I bet on the server."
That is from the client. I sent a reply to Rob about the DNS, but I was under the assumption that the client was using the config files.
thanksMatt
Date: Wed, 2 May 2012 14:57:24 -0400
From: dpal at redhat.com
To: matt at mldserviceslex.com
CC: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
On 05/02/2012 02:50 PM, Matthew Davidson wrote:
Dmitri,
1) Do you have admin account on IPA side?
Yes. And judging by the command below admin does log in, or
am I mistaken?
[root at rhel5 ~]# kinit admin
Password for admin at EXAMPLE.COM:
[root at rhel5 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at EXAMPLE.COM
Valid starting Expires Service principal
05/02/12 14:47:40 05/03/12 14:47:36
krbtgt/EXAMPLE.COM at EXAMPLE.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Is this from the client or from the server? I bet on the server.
Rob might be right that the client fails to find the right
authentication server due to the DNS configuration.
2) Is there a firewall between client and server? Is LDAP
and LDAPS allowed via the FW?
No firewall. shut those down at the first sign of trouble.
Thanks
Matt
Date: Wed, 2 May 2012 13:51:15 -0400
From: dpal at redhat.com
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] red hat 5 and red hat 6
compatability
On 05/02/2012 12:43 PM, Matthew Davidson wrote:
Hi Rob
[root at rhel5 ~]# ipa-client-install
--domain=EXAMPLE.COM --server=rhel6.example.com
DNS domain 'example.com' is not configured for
automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: rhel6.example.com
Realm: EXAMPLE.COM
DNS Domain: EXAMPLE.COM
IPA Server: rhel6.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values?
[no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
Unable to find 'admin' user with 'getent passwd
admin'!
1) Do you have admin account on IPA side?
2) Is there a firewall between client and server? Is LDAP and
LDAPS allowed via the FW?
Recognized configuration: SSSD
Changed configuration of /etc/ldap.conf to use
hardcoded server name: rhel6.example.com
NTP enabled
Client configuration complete.
/var/log/secure
May 2 12:31:14 rhel5 sshd[3250]: Invalid user
mdavidson from 192.168.1.5
May 2 12:31:14 rhel5 sshd[3251]:
input_userauth_request: invalid user mdavidson
May 2 12:31:19 rhel5 sshd[3250]:
pam_unix(sshd:auth): check pass; user unknown
May 2 12:31:19 rhel5 sshd[3250]:
pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com
May 2 12:31:19 rhel5 sshd[3250]:
pam_succeed_if(sshd:auth): error retrieving information
about user mdavidson
May 2 12:31:21 rhel5 sshd[3250]: Failed password for
invalid user mdavidson from 192.168.1.5 port 52511 ssh2
/var/log/sssd/ldap_child.log
(Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database
/var/log/sssd/sssd.log
(Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0):
Monitor received Terminated: terminating children
(Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0):
Monitor received Terminated: terminating children
thanks for helping!
Matt
> Date: Wed, 2 May 2012 11:30:52 -0400
> From: rcritten at redhat.com
> To: matt at mldserviceslex.com
> CC: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat
6 compatability
>
> Matthew Davidson wrote:
> > To clarify one point.
> >
> > I used the current redhat documents to setup
the two systems.
> >
> >
Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
> >
> >
Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
> >
> > SSH does not seem to be discussed and that is
when I started web surfing
> > in an attempt to fix my problem before
reaching out for help.
>
> A host service principal is created during
enrollment so no additional
> work should be needed for SSH to work. The problem
you're having is
> related to the fact that user lookup services are
failing.
>
> Can you look in /var/log/secure and/or
/var/log/sssd/* to see if there
> are any errors reported regarding sssd?
>
> What options did you pass to ipa-client-install?
>
> rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120502/de923a2f/attachment.htm>
More information about the Freeipa-users
mailing list