[Freeipa-users] Decrypt integrity check failed on client
Megan .
nagemnna at gmail.com
Fri Jan 23 20:58:59 UTC 2015
Good Day!
I installed a new IPA server (same name as the old one) on a new
server. I added a single user for testing. I have a client that was
previously a client on the old IPA server, i ran ipa-client-install
--uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp,
and rebooted. I then updated /etc/hosts to point to the new IPA
server, and ran ipa-client-install --no-ntp. The install went fine.
Now when i try to login to the client using my new test user, it
doesn't work. I get the below errors. I am able to login to the new
directory server with my new user, was prompted to change my password,
and was able to log back in just fine.
Any help is appreciated. Thanks.
Client:
[root at test3-vm ~]# uname -a
Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov
11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root at test3-vm ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root at test3-vm ~]# rpm -qa | grep ipa-client
ipa-client-3.0.0-42.el6.centos.x86_64
Server:
[root at dir1 ~]# uname -a
Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root at dir1 ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root at dir1 ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
>From client:
[root at test3-vm sssd]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM
1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM
1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM
1 01/23/15 14:27:06 host/test3-vm.mydomain.com at MYDOMAIN.COM
[root at test3-vm sssd]
This works fine:
[root at test3-vm sssd]# kinit tester1
Password for tester1 at MYDOMAIN.COM:
[root at test3-vm sssd]#
[root at test3-vm sssd]# tail -200 krb5_child.log
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise
principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab:
[/etc/krb5.keytab]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/test3-vm.mydomain.com at MYDOMAIN.COM]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
[get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity
check failed]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error]
(0x0020): 1043: [-1765328353][Decrypt integrity check failed]
(Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data]
(0x0200): Received error code 1432158218
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise
principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab:
[/etc/krb5.keytab]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/test3-vm.mydomain.com at MYDOMAIN.COM]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
[get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity
check failed]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error]
(0x0020): 1043: [-1765328353][Decrypt integrity check failed]
(Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data]
(0x0200): Received error code 1432158218
[root at test3-vm sssd]# cat /etc/sssd/sssd.conf
# Do not edit Managed by Spacewalk
[domain/MYDOMAIN.COM]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = MYDOMAIN.COM
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = test3-vm.MYDOMAIN.COM
chpass_provider = ipa
ipa_server = _srv_, dir1.MYDOMAIN.COM
dns_discovery_domain = MYDOMAIN.COM
sudo_provider = ldap
ldap_uri = ldap://dir1.MYDOMAIN.COM
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM
ldap_sasl_realm = MYDOMAIN.COM
krb5_server = dir1.MYDOMAIN.COM
debug_level = 5
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
debug_level = 5
domains = MYDOMAIN.COM
[nss]
[pam]
[sudo]
debug_level = 5
[autofs]
[ssh]
[pac]
More information about the Freeipa-users
mailing list