[Freeipa-users] Decrypt integrity check failed on client
Dmitri Pal
dpal at redhat.com
Fri Jan 23 23:40:00 UTC 2015
On 01/23/2015 03:58 PM, Megan . wrote:
> Good Day!
>
> I installed a new IPA server (same name as the old one) on a new
> server. I added a single user for testing. I have a client that was
> previously a client on the old IPA server, i ran ipa-client-install
> --uninstall, removed the /etc/ipa/ca.crt, removed items left in /tmp,
> and rebooted. I then updated /etc/hosts to point to the new IPA
> server, and ran ipa-client-install --no-ntp. The install went fine.
> Now when i try to login to the client using my new test user, it
> doesn't work. I get the below errors. I am able to login to the new
> directory server with my new user, was prompted to change my password,
> and was able to log back in just fine.
>
> Any help is appreciated. Thanks.
>
> Client:
> [root at test3-vm ~]# uname -a
> Linux test3-vm.mydomain.com 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov
> 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> [root at test3-vm ~]# cat /etc/redhat-release
> CentOS release 6.6 (Final)
> [root at test3-vm ~]# rpm -qa | grep ipa-client
> ipa-client-3.0.0-42.el6.centos.x86_64
>
> Server:
> [root at dir1 ~]# uname -a
> Linux dir1.mydomain.com 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17
> 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> [root at dir1 ~]# cat /etc/redhat-release
> CentOS release 6.6 (Final)
> [root at dir1 ~]# rpm -qa | grep ipa-server
> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
> ipa-server-3.0.0-42.el6.centos.x86_64
>
>
>
> >From client:
> [root at test3-vm sssd]# klist -kt /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM
> 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM
> 1 01/23/15 14:27:05 host/test3-vm.mydomain.com at MYDOMAIN.COM
> 1 01/23/15 14:27:06 host/test3-vm.mydomain.com at MYDOMAIN.COM
> [root at test3-vm sssd]
>
>
> This works fine:
>
> [root at test3-vm sssd]# kinit tester1
> Password for tester1 at MYDOMAIN.COM:
> [root at test3-vm sssd]#
>
>
> [root at test3-vm sssd]# tail -200 krb5_child.log
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise
> principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM]
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab:
> [/etc/krb5.keytab]
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
> [set_lifetime_options] (0x0100): Cannot read
> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/test3-vm.mydomain.com at MYDOMAIN.COM]
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
> [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]]
> [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity
> check failed]
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [map_krb5_error]
> (0x0020): 1043: [-1765328353][Decrypt integrity check failed]
> (Fri Jan 23 14:43:01 2015) [[sssd[krb5_child[2812]]]] [k5c_send_data]
> (0x0200): Received error code 1432158218
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1004] gid [1004] validate [true] enterprise
> principal [false] offline [false] UPN [tester1 at MYDOMAIN.COM]
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_1004_XXXXXX] keytab:
> [/etc/krb5.keytab]
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
> [set_lifetime_options] (0x0100): Cannot read
> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/test3-vm.mydomain.com at MYDOMAIN.COM]
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
> [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]]
> [get_and_save_tgt] (0x0020): 981: [-1765328353][Decrypt integrity
> check failed]
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [map_krb5_error]
> (0x0020): 1043: [-1765328353][Decrypt integrity check failed]
> (Fri Jan 23 15:39:54 2015) [[sssd[krb5_child[2900]]]] [k5c_send_data]
> (0x0200): Received error code 1432158218
>
>
>
>
>
> [root at test3-vm sssd]# cat /etc/sssd/sssd.conf
> # Do not edit Managed by Spacewalk
> [domain/MYDOMAIN.COM]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = MYDOMAIN.COM
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = test3-vm.MYDOMAIN.COM
> chpass_provider = ipa
> ipa_server = _srv_, dir1.MYDOMAIN.COM
> dns_discovery_domain = MYDOMAIN.COM
>
> sudo_provider = ldap
> ldap_uri = ldap://dir1.MYDOMAIN.COM
> ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/test3-vm.MYDOMAIN.COM
> ldap_sasl_realm = MYDOMAIN.COM
> krb5_server = dir1.MYDOMAIN.COM
> debug_level = 5
>
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> debug_level = 5
>
> domains = MYDOMAIN.COM
> [nss]
>
> [pam]
>
> [sudo]
> debug_level = 5
>
> [autofs]
>
> [ssh]
>
> [pac]
>
I seems that you have several keys in the keytab for the same principal.
AFAIR (vaguely) kinit and SSSD try keys in different order, something
like: one uses last key in the list and another uses first.
There was even a ticket I think.
Try removing all the keys and leaving only one - latest.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list