[Freeipa-users] Centos IPA Client fails after upgrade to 6.6

David Taylor david.taylor at speedcast.com
Fri Oct 31 01:23:29 UTC 2014 

I just recently updated one of our test servers from CentOS 6.5 to CentOS 6.6, after which I noticed that IPA logons were no longer available. From what I can see the upgrade includes quite a few changes with regard to sssd.


-          NTP is up and synced on the Auth servers and the client.

-          DNS is working to the IPA servers

-          I can do a kinit for users with no problem

-          I have uninstalled the ipa client, deleted the host profile on the IPA server and one a rejoin. The rejoin worked but the problem is the same.

Software versions using

-          rpm -qa | grep -i ipa

-          rpm -qa | grep -i sssd

Software versions before:
libipa_hbac-1.9.2-129.el6_5.4.x86_64
device-mapper-multipath-0.4.9-72.el6_5.4.x86_64
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
device-mapper-multipath-libs-0.4.9-72.el6_5.4.x86_64
sssd-1.9.2-129.el6_5.4.x86_64
sssd-client-1.9.2-129.el6_5.4.x86_64

Software version after:
sssd-ipa-1.11.6-30.el6.x86_64
libipa_hbac-1.11.6-30.el6.x86_64
device-mapper-multipath-libs-0.4.9-80.el6.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
libipa_hbac-python-1.11.6-30.el6.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
device-mapper-multipath-0.4.9-80.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-client-1.11.6-30.el6.x86_64
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
The /var/log/secure logs show the following

Oct 31 10:38:30 test01 sshd[2790]: Invalid user dtaylor from <ip removed>
Oct 31 10:38:30 test01 sshd[2791]: input_userauth_request: invalid user dtaylor
Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<host removed>
Oct 31 10:38:30 test01 sshd[2790]: pam_succeed_if(sshd:auth): error retrieving information about user dtaylor

The /var/log/audit/audit.log logs show the following

type=CRYPTO_KEY_USER msg=audit(1414715857.270:107): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5831 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1414715857.270:108): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5831 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1414715857.272:109): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=<Client ip removed> lport=22  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1414715857.272:110): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=<Client ip removed> lport=22  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
type=USER_LOGIN msg=audit(1414715857.310:111): user pid=5830 uid=0 auid=0 ses=1 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh res=failed'
type=USER_AUTH msg=audit(1414715859.211:112): user pid=5830 uid=0 auid=0 ses=1 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=<hostname removed> addr=<ip removed> terminal=ssh res=failed'
type=USER_AUTH msg=audit(1414715859.212:113): user pid=5830 uid=0 auid=0 ses=1 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1414715862.076:114): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=session fp=? direction=both spid=5831 suid=74 rport=44361 laddr=<Client ip removed> lport=22  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1414715862.078:115): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5830 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1414715862.079:116): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5830 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
type=USER_LOGIN msg=audit(1414715862.079:117): user pid=5830 uid=0 auid=0 ses=1 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh res=failed'

The /var/log/sssd/sssd_<IPA Svr IP removed>.log logs show the following

==> /var/log/sssd/sssd_<IPA Svr IP removed>.log <==
(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_dispatch] (0x4000): dbus conn: 0x16699b0
(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_dispatch] (0x4000): Dispatching.
(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141031/ca329636/attachment.htm>

More information about the Freeipa-users mailing list