[Freeipa-users] Centos IPA Client fails after upgrade to 6.6

Fri Oct 31 08:35:18 UTC 2014

> On 31 Oct 2014, at 02:23, David Taylor <david.taylor at speedcast.com> wrote:
> 
> I just recently updated one of our test servers from CentOS 6.5 to CentOS 6.6, after which I noticed that IPA logons were no longer available. From what I can see the upgrade includes quite a few changes with regard to sssd.
>  
> -          NTP is up and synced on the Auth servers and the client.
> -          DNS is working to the IPA servers
> -          I can do a kinit for users with no problem
> -          I have uninstalled the ipa client, deleted the host profile on the IPA server and one a rejoin. The rejoin worked but the problem is the same.
>  
> Software versions using 
> -          rpm -qa | grep -i ipa
> -          rpm -qa | grep -i sssd
>  
> Software versions before:
> libipa_hbac-1.9.2-129.el6_5.4.x86_64
> device-mapper-multipath-0.4.9-72.el6_5.4.x86_64
> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
> ipa-python-3.0.0-37.el6.x86_64
> ipa-client-3.0.0-37.el6.x86_64
> device-mapper-multipath-libs-0.4.9-72.el6_5.4.x86_64
> sssd-1.9.2-129.el6_5.4.x86_64
> sssd-client-1.9.2-129.el6_5.4.x86_64
>  
> Software version after:
> sssd-ipa-1.11.6-30.el6.x86_64
> libipa_hbac-1.11.6-30.el6.x86_64
> device-mapper-multipath-libs-0.4.9-80.el6.x86_64
> ipa-client-3.0.0-42.el6.centos.x86_64
> libipa_hbac-python-1.11.6-30.el6.x86_64
> ipa-python-3.0.0-42.el6.centos.x86_64
> device-mapper-multipath-0.4.9-80.el6.x86_64
> sssd-ldap-1.11.6-30.el6.x86_64
> sssd-ad-1.11.6-30.el6.x86_64
> python-sssdconfig-1.11.6-30.el6.noarch
> sssd-client-1.11.6-30.el6.x86_64
> sssd-krb5-common-1.11.6-30.el6.x86_64
> sssd-ipa-1.11.6-30.el6.x86_64
> sssd-common-1.11.6-30.el6.x86_64
> sssd-proxy-1.11.6-30.el6.x86_64
> sssd-common-pac-1.11.6-30.el6.x86_64
> sssd-krb5-1.11.6-30.el6.x86_64
> sssd-1.11.6-30.el6.x86_64
> The /var/log/secure logs show the following
>  
> Oct 31 10:38:30 test01 sshd[2790]: Invalid user dtaylor from <ip removed>
> Oct 31 10:38:30 test01 sshd[2791]: input_userauth_request: invalid user dtaylor
> Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): check pass; user unknown
> Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<host removed>
> Oct 31 10:38:30 test01 sshd[2790]: pam_succeed_if(sshd:auth): error retrieving information about user dtaylor
>  

Do you also see pam_sss being mentioned at all in your /var/log/secure at all? Can you paste your PAM configuration? It’s expected that pam_unix fails to find the IPA user, but I would also expect the PAM stack to ask pam_sss next...

> The /var/log/audit/audit.log logs show the following
>  
> type=CRYPTO_KEY_USER msg=audit(1414715857.270:107): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5831 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
> type=CRYPTO_KEY_USER msg=audit(1414715857.270:108): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5831 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
> type=CRYPTO_SESSION msg=audit(1414715857.272:109): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=<Client ip removed> lport=22  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
> type=CRYPTO_SESSION msg=audit(1414715857.272:110): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=<Client ip removed> lport=22  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
> type=USER_LOGIN msg=audit(1414715857.310:111): user pid=5830 uid=0 auid=0 ses=1 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh res=failed'
> type=USER_AUTH msg=audit(1414715859.211:112): user pid=5830 uid=0 auid=0 ses=1 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=<hostname removed> addr=<ip removed> terminal=ssh res=failed'
> type=USER_AUTH msg=audit(1414715859.212:113): user pid=5830 uid=0 auid=0 ses=1 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh res=failed'
> type=CRYPTO_KEY_USER msg=audit(1414715862.076:114): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=session fp=? direction=both spid=5831 suid=74 rport=44361 laddr=<Client ip removed> lport=22  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
> type=CRYPTO_KEY_USER msg=audit(1414715862.078:115): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5830 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
> type=CRYPTO_KEY_USER msg=audit(1414715862.079:116): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5830 suid=0  exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=? res=success'
> type=USER_LOGIN msg=audit(1414715862.079:117): user pid=5830 uid=0 auid=0 ses=1 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=<ip removed> terminal=ssh res=failed'
>  
> The /var/log/sssd/sssd_<IPA Svr IP removed>.log logs show the following
>  
> ==> /var/log/sssd/sssd_<IPA Svr IP removed>.log <==
> (Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_dispatch] (0x4000): dbus conn: 0x16699b0
> (Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_dispatch] (0x4000): Dispatching.
> (Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
> (Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
> (Fri Oct 31 12:13:39 2014) [sssd[be[<IPA Svr IP removed>]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]

These are just heartbeats between sssd_be and the main sssd process, not a real activity.

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project