[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Christopher Lamb
christopher.lamb at ch.ibm.com
Mon Jun 1 17:35:11 UTC 2015
Hi All
Bad news.
Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1
host (FreeIPA client) to authenticate FreeiPA users (my test being ssh
remote login with FreeIPA user and password).
Today I tried a second machine, and had the same problem, ssh connections
with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check
failed"
Ahh I thought, I have a solution for that: just remove ipa-client and
reinstall via yum, register with the new FreeIPA server ....
Only with this second machine I still can't ssh in with a FreeIPA user.
Argg.....
b.t.w, as this machine is a real physical server, I was able to try logging
in direct with my FreeIPA user --> "Authentication Failure"
I now have
* a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old
FreeIPA server to the new without a hitch (i.e. they successfully
authenticate FreeIPA users.)
* one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but
with problems
* one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to
authenticate with a FreeIPA user
* one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new
FreeIPA server, and successfully authenticates FreeIPA users.
Any ideas?
Chris
----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17
-----
From: Christopher Lamb/Switzerland/IBM at IBMCH
To: Alexander Bokovoy <abokovoy at redhat.com>,
freeipa-users at redhat.com
Date: 30.05.2015 18:52
Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on
EL7.1 --> Solved
Sent by: freeipa-users-bounces at redhat.com
Hi All
It gives me pleasure to report the problem is solved - a minute ago I was
able to login via ssh with my FreeIPA user to the problem server, while
sitting on my terrace with a glass of wine!
Thanks to Alexander for his helpful advice - we had some mail exchange
outside the user list as I did not wish to broadcast content of keys,
config files etc.
Regardless of what I did with commands like klist, kvno everything seemed
"ok", but I still could not ssh in. Even a ipa-getkeytab did not help.
Therefore I decided to opt for brute force and (partial) ignorance. I
completely uninstalled the FreeIPA client, and then reinstalled, configured
- ét voilà I could ssh in!
This leaves the enigma: what caused the problem? I suspect the following:
The host is an EL 7.1, but the first FreeIPA client installed was version
3.3.3 (installed as set of standard packages that we bung on all our
servers).
This worked fine to authenticate against our "old" 3.x FreeIPA server, but
did not work against the "new" 4.1 FreeIPA Server.
When I realised I could not ssh in, one of the first things I did was to
yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help.
The solution was to yum remove the FreeIPA client, then yum install the 4.1
client.
I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so
it will be interesting to see it the problem can be reproduced.
Keep up the good work,
Chris
From: Alexander Bokovoy <abokovoy at redhat.com>
To: Christopher Lamb/Switzerland/IBM at IBMCH
Cc: freeipa-users at redhat.com
Date: 29.05.2015 18:04
Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA
client on
EL7.1
On Fri, 29 May 2015, Christopher Lamb wrote:
>
>Hi All
>
>Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace
>the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
>across the users.
>
>We have 50 odd Servers that are FreeIPA clients. Today I started migrating
>these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
>server by doing an ipa-client-install --uninstall from the old, and
>ipa-client-install to register with the new 4.1.0 server.
>
>Most of the FreeIPA clients are running OEL 6.5, and for these the
>migration process above worked perfectly. After migrating the server, I
>could ssh in with my FreeIPA user.
>
>Then I migrated an OEL 7.1 server. The migration itself seemed to work,
and
>getent passwd was successful for my FreeIPA user. However when I try and
>ssh in, my FreeIPA user / password is not accepted.
>
>Before the migration I could ssh into the problem server (though evidently
>it was using my FreeIPA user from the old FreeIPA server).
>
>I can ssh in with a local (non ldap) user, so ssh is running and working.
>
>>From user root I can successfully su to my FreeIPA user.
>
>Further investigation showed that version of ipa-client installed was
>3.3.3, so I yum updated this to 4.1.0.
>
>However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The
>same user continues to work for the 6.5 boxes.
>
>A colleague tried to ssh in with his FreeIPA user, and was also rejected,
>so the problem is not my user, but is probably for all FreeIPA users.
>
>A failed ssh login attempt causes the following error in /var/log/messages
>
>[sssd[krb5_child[5393]]]: Decrypt integrity check failed
It means /etc/krb5.keytab contains keys from older system and SSSD
picks them up.
Can you show output of 'klist -kKet'?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list