[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 2 07:21:32 UTC 2015
On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote:
>
> Hi All
>
> Bad news.
>
> Over the weekend I was able to get the original problem EL7.1 / FreeIPA 4.1
> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh
> remote login with FreeIPA user and password).
>
> Today I tried a second machine, and had the same problem, ssh connections
> with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity check
> failed"
This really just means wrong password, can you kinit as that user using
the same password?
>
> Ahh I thought, I have a solution for that: just remove ipa-client and
> reinstall via yum, register with the new FreeIPA server ....
>
> Only with this second machine I still can't ssh in with a FreeIPA user.
> Argg.....
>
> b.t.w, as this machine is a real physical server, I was able to try logging
> in direct with my FreeIPA user --> "Authentication Failure"
>
> I now have
> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old
> FreeIPA server to the new without a hitch (i.e. they successfully
> authenticate FreeIPA users.)
> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but
> with problems
> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts to
> authenticate with a FreeIPA user
> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new
> FreeIPA server, and successfully authenticates FreeIPA users.
>
> Any ideas?
>
> Chris
>
>
> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17
> -----
>
> From: Christopher Lamb/Switzerland/IBM at IBMCH
> To: Alexander Bokovoy <abokovoy at redhat.com>,
> freeipa-users at redhat.com
> Date: 30.05.2015 18:52
> Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA client on
> EL7.1 --> Solved
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> Hi All
>
> It gives me pleasure to report the problem is solved - a minute ago I was
> able to login via ssh with my FreeIPA user to the problem server, while
> sitting on my terrace with a glass of wine!
>
> Thanks to Alexander for his helpful advice - we had some mail exchange
> outside the user list as I did not wish to broadcast content of keys,
> config files etc.
>
> Regardless of what I did with commands like klist, kvno everything seemed
> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help.
>
> Therefore I decided to opt for brute force and (partial) ignorance. I
> completely uninstalled the FreeIPA client, and then reinstalled, configured
> - ét voilà I could ssh in!
>
> This leaves the enigma: what caused the problem? I suspect the following:
>
> The host is an EL 7.1, but the first FreeIPA client installed was version
> 3.3.3 (installed as set of standard packages that we bung on all our
> servers).
>
> This worked fine to authenticate against our "old" 3.x FreeIPA server, but
> did not work against the "new" 4.1 FreeIPA Server.
>
> When I realised I could not ssh in, one of the first things I did was to
> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help.
> The solution was to yum remove the FreeIPA client, then yum install the 4.1
> client.
>
> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so
> it will be interesting to see it the problem can be reproduced.
>
> Keep up the good work,
>
> Chris
>
>
>
>
>
>
>
>
> From: Alexander Bokovoy <abokovoy at redhat.com>
> To: Christopher Lamb/Switzerland/IBM at IBMCH
> Cc: freeipa-users at redhat.com
> Date: 29.05.2015 18:04
> Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA
> client on
> EL7.1
>
>
>
> On Fri, 29 May 2015, Christopher Lamb wrote:
> >
> >Hi All
> >
> >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace
> >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
> >across the users.
> >
> >We have 50 odd Servers that are FreeIPA clients. Today I started migrating
> >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
> >server by doing an ipa-client-install --uninstall from the old, and
> >ipa-client-install to register with the new 4.1.0 server.
> >
> >Most of the FreeIPA clients are running OEL 6.5, and for these the
> >migration process above worked perfectly. After migrating the server, I
> >could ssh in with my FreeIPA user.
> >
> >Then I migrated an OEL 7.1 server. The migration itself seemed to work,
> and
> >getent passwd was successful for my FreeIPA user. However when I try and
> >ssh in, my FreeIPA user / password is not accepted.
> >
> >Before the migration I could ssh into the problem server (though evidently
> >it was using my FreeIPA user from the old FreeIPA server).
> >
> >I can ssh in with a local (non ldap) user, so ssh is running and working.
> >
> >>From user root I can successfully su to my FreeIPA user.
> >
> >Further investigation showed that version of ipa-client installed was
> >3.3.3, so I yum updated this to 4.1.0.
> >
> >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The
> >same user continues to work for the 6.5 boxes.
> >
> >A colleague tried to ssh in with his FreeIPA user, and was also rejected,
> >so the problem is not my user, but is probably for all FreeIPA users.
> >
> >A failed ssh login attempt causes the following error in /var/log/messages
> >
> >[sssd[krb5_child[5393]]]: Decrypt integrity check failed
> It means /etc/krb5.keytab contains keys from older system and SSSD
> picks them up.
> Can you show output of 'klist -kKet'?
> --
> / Alexander Bokovoy
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list