[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved

Christopher Lamb christopher.lamb at ch.ibm.com
Tue Jun 2 07:43:48 UTC 2015 

Hi Jakub

The same user / password works with all our FreeIPA hosts - just this one
box is the problem. So the password should be good. Of course a type is
always possible (especially for strong passwords), but I have tried many
times which should eliminate the odd password typo. The user / password
should also be good for both the old and the new FreeIPA Server.

As I can neither log in direct, or via ssh to this box with my FreeIPA
user, I assume Kinit with my user won't work- i will try later in the day.

My working assumption is that the problem is related in some way to the
fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA
4.1, and switched between 2 FreeIPA servers. I am currently setting up 2
throwaway EL 7.1 VMs to better test this. On one I will first install
3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1
client.

Cheers

Chris



From:	Jakub Hrozek <jhrozek at redhat.com>
To:	freeipa-users at redhat.com
Date:	02.06.2015 09:22
Subject:	Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
            client on EL7.1 -->Not Solved
Sent by:	freeipa-users-bounces at redhat.com



On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote:
>
> Hi All
>
> Bad news.
>
> Over the weekend I was able to get the original problem EL7.1 / FreeIPA
4.1
> host (FreeIPA client) to authenticate FreeiPA users (my test being ssh
> remote login with FreeIPA user and password).
>
> Today I tried a second machine, and had the same problem, ssh connections
> with FreeIPA user cause  "[sssd[krb5_child[3445]]]: Decrypt integrity
check
> failed"

This really just means wrong password, can you kinit as that user using
the same password?

>
> Ahh I thought, I have a solution for that: just remove ipa-client and
> reinstall via yum, register with the new FreeIPA server ....
>
> Only with this second machine I still can't ssh in with a FreeIPA user.
> Argg.....
>
> b.t.w, as this machine is a real physical server, I was able to try
logging
> in direct with my FreeIPA user --> "Authentication Failure"
>
> I now have
> * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old
> FreeIPA server to the new without a hitch (i.e. they successfully
> authenticate FreeIPA users.)
> * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but
> with problems
> * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts
to
> authenticate with a FreeIPA user
> * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new
> FreeIPA server, and successfully authenticates FreeIPA users.
>
> Any ideas?
>
> Chris
>
>
> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17
> -----
>
> From:		 Christopher Lamb/Switzerland/IBM at IBMCH
> To:		 Alexander Bokovoy <abokovoy at redhat.com>,
>             freeipa-users at redhat.com
> Date:		 30.05.2015 18:52
> Subject:		 Re: [Freeipa-users] ssh problem with migrated FreeIPA
client on
>             EL7.1 --> Solved
> Sent by:		 freeipa-users-bounces at redhat.com
>
>
>
> Hi All
>
> It gives me pleasure to report the problem is solved - a minute ago I was
> able to login via ssh with my FreeIPA user to the problem server, while
> sitting on my terrace with a glass of wine!
>
> Thanks to Alexander for his helpful advice - we had some mail exchange
> outside the user list as I did not wish to broadcast content of keys,
> config files etc.
>
> Regardless of what I did with commands like klist, kvno everything seemed
> "ok", but I still could not ssh in. Even a ipa-getkeytab did not help.
>
> Therefore I decided to opt for brute force and (partial) ignorance. I
> completely uninstalled the FreeIPA client, and then reinstalled,
configured
> - ét voilà I could ssh in!
>
> This leaves the enigma: what caused the problem? I suspect the following:
>
> The host is an EL 7.1, but the first FreeIPA client installed was version
> 3.3.3 (installed as set of standard packages that we bung on all our
> servers).
>
> This worked fine to authenticate against our "old" 3.x FreeIPA server,
but
> did not work against the "new" 4.1 FreeIPA Server.
>
> When I realised I could not ssh in, one of the first things I did was to
> yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help.
> The solution was to yum remove the FreeIPA client, then yum install the
4.1
> client.
>
> I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed,
so
> it will be interesting to see it the problem can be reproduced.
>
> Keep up the good work,
>
> Chris
>
>
>
>
>
>
>
>
> From:		 		  Alexander Bokovoy <abokovoy at redhat.com>
> To:		 		  Christopher Lamb/Switzerland/IBM at IBMCH
> Cc:		 		  freeipa-users at redhat.com
> Date:		 		  29.05.2015 18:04
> Subject:		 		  Re: [Freeipa-users] ssh problem with
migrated FreeIPA
> client on
>             EL7.1
>
>
>
> On Fri, 29 May 2015, Christopher Lamb wrote:
> >
> >Hi All
> >
> >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to
replace
> >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
> >across the users.
> >
> >We have 50 odd Servers that are FreeIPA clients. Today I started
migrating
> >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
> >server by doing an ipa-client-install --uninstall from the old, and
> >ipa-client-install to register with the new 4.1.0 server.
> >
> >Most of the FreeIPA clients are running OEL 6.5, and for these the
> >migration process above worked perfectly. After migrating the server, I
> >could ssh in with my FreeIPA user.
> >
> >Then I migrated an OEL 7.1 server. The migration itself seemed to work,
> and
> >getent passwd was successful for my FreeIPA user. However when I try and
> >ssh in, my FreeIPA user / password is not accepted.
> >
> >Before the migration I could ssh into the problem server (though
evidently
> >it was using my FreeIPA user from the old FreeIPA server).
> >
> >I can ssh in with a local (non ldap) user, so ssh is running and
working.
> >
> >>From user root I can successfully su to my FreeIPA user.
> >
> >Further investigation showed that version of ipa-client installed was
> >3.3.3, so I yum updated this to 4.1.0.
> >
> >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user.
The
> >same user continues to work for the 6.5 boxes.
> >
> >A colleague tried to ssh in with his FreeIPA user, and was also
rejected,
> >so the problem is not my user, but is probably for all FreeIPA users.
> >
> >A failed ssh login attempt causes the following error
in /var/log/messages
> >
> >[sssd[krb5_child[5393]]]: Decrypt integrity check failed
> It means /etc/krb5.keytab contains keys from older system and SSSD
> picks them up.
> Can you show output of 'klist -kKet'?
> --
> / Alexander Bokovoy
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list