[Freeipa-users] trouble adding users

Thu Jan 9 18:27:28 UTC 2014

On Thu, 2014-01-09 at 12:00 -0500, Ryan Chase wrote:
> 
> On 1/9/14 11:45 AM, Rob Crittenden wrote:
> > Ryan Chase wrote:
> >> On 1/9/14 11:15 AM, Jakub Hrozek wrote:
> >>> On Thu, Jan 09, 2014 at 10:14:20AM -0500, Ryan Chase wrote:
> >>>> On 1/8/14 5:25 PM, Jakub Hrozek wrote:
> >>>>> On Wed, Jan 08, 2014 at 03:12:35PM -0500, Ryan Chase wrote:
> >>>>>> I've added a new user using the command "ipa user-add" from the ipa
> >>>>>> server.  I can see correct user information when I run the commands
> >>>>>> "ipa user-show" and "ipa user-status". However, I cannot see the
> >>>>>> user when I run "getent passwd username" or even "id username". When
> >>>>>> I run "id username" I get, "no such user".
> >>>>>>    I feel this may be an issue with sssd, but I'm not 100% sure.
> >>>>>> /etc/nsswitch.conf looks correct.
> >>>>>>    Any ideas?
> >>>>>>
> >>>>>> --Ryan
> >>>>>>
> >>>>>> IPA server is CentOS 6 running freeipa version 3.0.0
> >>>>>
> >>>>> Hi Ryan,
> >>>>>
> >>>>> this indeed sounds like an issue with the SSSD.
> >>>>>
> >>>>> Given that you said nsswitch.conf looks OK, can you raise debug_level
> >>>>> (let's start with 5 perhaps) in the [nss] and [domain/] sections,
> >>>>> restart the SSSD and inspect the logs in /var/log/sssd/ for any
> >>>>> errors?
> >>>>>
> >>>>> Is there anything in the syslog? Some errors, like invalid keytab are
> >>>>> logged to the system logs as well as the SSSD debug logs.
> >>>>>
> >>>>
> >>>> Below is a snip from the sssd log with debug_level=5
> >>>> This was an ssh attempt to the server.
> >>>>
> >>>
> >>> This log snippet is telling us about problems with keytab:
> >>>
> >>>> (Thu Jan  9 09:52:45 2014) [sssd[be[csl.local]]] [sdap_kinit_done]
> >>>> (0x0100): Could not get TGT: 14 [Bad address]
> >>>
> >>>
> >>> Perhaps /var/log/sssd/ldap_child.log would have more info?
> >>>
> >>> Can you kinit with your keytab (kinit -k or kinit -k host/$(hostname)) ?
> >>>
> >>
> >> Running kinit -k gives the following
> >>
> >> kinit: Password incorrect while getting initial credentials
> >>
> >> Here is a snip from ldap_child.log
> >> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
> >> ldap_child started.
> >> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
> >> [ldap_child_get_tgt_sync] (0x0100): Principal name is:
> >> [host/server.csl.local at CSL.LOCAL]
> >> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
> >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
> >> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
> >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
> >> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
> >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
> >> integrity check failed
> >> (Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0020):
> >> ldap_child_get_tgt_sync failed.
> >> (Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [prepare_response]
> >> (0x0400): Building response for result [-1765328353]
> >> (Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
> >> ldap_child completed successfully
> >
> > So the keytab is bad, strange.  You might try this:
> >
> > # kinit admin
> > # kvno host/`hostname`
> > # klist -kt /etc/krb5.keytab
> >
> > Compare the version number of the service in the keytab vs what kvno
> > returns. They should be the same. If they are different then that
> > explains the failure. It would mean though that someone else pulled a
> > keytab for this host principal so generating a new keytab may break
> > whatever they did.
> >
> > If you determine that this is ok you can fetch a new keytab with:
> >
> > # ipa-getkeytab -s ipa.example.com -p host/`hostname` -k /etc/krb5.keytab
> >
> > Then restart sssd and things should work.
> >
> > rob
> >
> 
> The version numbers don't match.  How would I fix this?

Using the ipa-getkeytab command mentioned above.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York