[Freeipa-users] trouble adding users

Ryan Chase rchase at cs.vt.edu
Thu Jan 9 18:43:57 UTC 2014 

On 1/9/14 1:27 PM, Simo Sorce wrote:
> On Thu, 2014-01-09 at 12:00 -0500, Ryan Chase wrote:
>>
>> On 1/9/14 11:45 AM, Rob Crittenden wrote:
>>> Ryan Chase wrote:
>>>> On 1/9/14 11:15 AM, Jakub Hrozek wrote:
>>>>> On Thu, Jan 09, 2014 at 10:14:20AM -0500, Ryan Chase wrote:
>>>>>> On 1/8/14 5:25 PM, Jakub Hrozek wrote:
>>>>>>> On Wed, Jan 08, 2014 at 03:12:35PM -0500, Ryan Chase wrote:
>>>>>>>> I've added a new user using the command "ipa user-add" from the ipa
>>>>>>>> server.  I can see correct user information when I run the commands
>>>>>>>> "ipa user-show" and "ipa user-status". However, I cannot see the
>>>>>>>> user when I run "getent passwd username" or even "id username". When
>>>>>>>> I run "id username" I get, "no such user".
>>>>>>>>     I feel this may be an issue with sssd, but I'm not 100% sure.
>>>>>>>> /etc/nsswitch.conf looks correct.
>>>>>>>>     Any ideas?
>>>>>>>>
>>>>>>>> --Ryan
>>>>>>>>
>>>>>>>> IPA server is CentOS 6 running freeipa version 3.0.0
>>>>>>>
>>>>>>> Hi Ryan,
>>>>>>>
>>>>>>> this indeed sounds like an issue with the SSSD.
>>>>>>>
>>>>>>> Given that you said nsswitch.conf looks OK, can you raise debug_level
>>>>>>> (let's start with 5 perhaps) in the [nss] and [domain/] sections,
>>>>>>> restart the SSSD and inspect the logs in /var/log/sssd/ for any
>>>>>>> errors?
>>>>>>>
>>>>>>> Is there anything in the syslog? Some errors, like invalid keytab are
>>>>>>> logged to the system logs as well as the SSSD debug logs.
>>>>>>>
>>>>>>
>>>>>> Below is a snip from the sssd log with debug_level=5
>>>>>> This was an ssh attempt to the server.
>>>>>>
>>>>>
>>>>> This log snippet is telling us about problems with keytab:
>>>>>
>>>>>> (Thu Jan  9 09:52:45 2014) [sssd[be[csl.local]]] [sdap_kinit_done]
>>>>>> (0x0100): Could not get TGT: 14 [Bad address]
>>>>>
>>>>>
>>>>> Perhaps /var/log/sssd/ldap_child.log would have more info?
>>>>>
>>>>> Can you kinit with your keytab (kinit -k or kinit -k host/$(hostname)) ?
>>>>>
>>>>
>>>> Running kinit -k gives the following
>>>>
>>>> kinit: Password incorrect while getting initial credentials
>>>>
>>>> Here is a snip from ldap_child.log
>>>> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
>>>> ldap_child started.
>>>> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
>>>> [ldap_child_get_tgt_sync] (0x0100): Principal name is:
>>>> [host/server.csl.local at CSL.LOCAL]
>>>> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
>>>> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
>>>> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
>>>> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
>>>> (Thu Jan  9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
>>>> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
>>>> integrity check failed
>>>> (Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0020):
>>>> ldap_child_get_tgt_sync failed.
>>>> (Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [prepare_response]
>>>> (0x0400): Building response for result [-1765328353]
>>>> (Thu Jan  9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
>>>> ldap_child completed successfully
>>>
>>> So the keytab is bad, strange.  You might try this:
>>>
>>> # kinit admin
>>> # kvno host/`hostname`
>>> # klist -kt /etc/krb5.keytab
>>>
>>> Compare the version number of the service in the keytab vs what kvno
>>> returns. They should be the same. If they are different then that
>>> explains the failure. It would mean though that someone else pulled a
>>> keytab for this host principal so generating a new keytab may break
>>> whatever they did.
>>>
>>> If you determine that this is ok you can fetch a new keytab with:
>>>
>>> # ipa-getkeytab -s ipa.example.com -p host/`hostname` -k /etc/krb5.keytab
>>>
>>> Then restart sssd and things should work.
>>>
>>> rob
>>>
>>
>> The version numbers don't match.  How would I fix this?
>
> Using the ipa-getkeytab command mentioned above.
>
> Simo.

That command worked.  I can now authenticate to the server and users 
appear as they should.
   I checked the version numbers again with kvno and klist, and they are 
still different.  Does this matter?  There are new entries when I run 
the command kinit -kt, also with a different version number than what 
kvno displays.

  Thank you, everyone for your help. I've been trying to debug this for 
a while.
  --Ryan

More information about the Freeipa-users mailing list