[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 2 07:50:41 UTC 2015
On Tue, Jun 02, 2015 at 09:43:48AM +0200, Christopher Lamb wrote:
> Hi Jakub
>
> The same user / password works with all our FreeIPA hosts - just this one
> box is the problem. So the password should be good. Of course a type is
> always possible (especially for strong passwords), but I have tried many
> times which should eliminate the odd password typo. The user / password
> should also be good for both the old and the new FreeIPA Server.
Interesting, can you add debug_level=10 to the domain section of
sssd.conf? Then krb5_child.log should show Kerberos tracing info
including which exact KDC SSSD was talking to.
>
> As I can neither log in direct, or via ssh to this box with my FreeIPA
> user, I assume Kinit with my user won't work- i will try later in the day.
Well, login as a UNIX user (root) should work..
>
> My working assumption is that the problem is related in some way to the
> fact the host originally was a FreeIPA 3.3.3 client, updated to FreeIPA
> 4.1, and switched between 2 FreeIPA servers. I am currently setting up 2
> throwaway EL 7.1 VMs to better test this. On one I will first install
> 3.3.3, then upgrade to 4.1. The second will have a direct install of 4.1
> client.
>
> Cheers
>
> Chris
>
>
>
> From: Jakub Hrozek <jhrozek at redhat.com>
> To: freeipa-users at redhat.com
> Date: 02.06.2015 09:22
> Subject: Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
> client on EL7.1 -->Not Solved
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> On Mon, Jun 01, 2015 at 07:35:11PM +0200, Christopher Lamb wrote:
> >
> > Hi All
> >
> > Bad news.
> >
> > Over the weekend I was able to get the original problem EL7.1 / FreeIPA
> 4.1
> > host (FreeIPA client) to authenticate FreeiPA users (my test being ssh
> > remote login with FreeIPA user and password).
> >
> > Today I tried a second machine, and had the same problem, ssh connections
> > with FreeIPA user cause "[sssd[krb5_child[3445]]]: Decrypt integrity
> check
> > failed"
>
> This really just means wrong password, can you kinit as that user using
> the same password?
>
> >
> > Ahh I thought, I have a solution for that: just remove ipa-client and
> > reinstall via yum, register with the new FreeIPA server ....
> >
> > Only with this second machine I still can't ssh in with a FreeIPA user.
> > Argg.....
> >
> > b.t.w, as this machine is a real physical server, I was able to try
> logging
> > in direct with my FreeIPA user --> "Authentication Failure"
> >
> > I now have
> > * a whole bunch of EL6.5 / FreeIPA 3.3.3 hosts that migrated from the old
> > FreeIPA server to the new without a hitch (i.e. they successfully
> > authenticate FreeIPA users.)
> > * one migrated EL7.1 / FreeIPA 4.1 host that I was able to migrate, but
> > with problems
> > * one migrated EL7.1 / FreeIPA 4.1 host that so far defies all attempts
> to
> > authenticate with a FreeIPA user
> > * one EL7.1 / FreeIPA 4.1 host that was only ever registered with the new
> > FreeIPA server, and successfully authenticates FreeIPA users.
> >
> > Any ideas?
> >
> > Chris
> >
> >
> > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17
> > -----
> >
> > From: Christopher Lamb/Switzerland/IBM at IBMCH
> > To: Alexander Bokovoy <abokovoy at redhat.com>,
> > freeipa-users at redhat.com
> > Date: 30.05.2015 18:52
> > Subject: Re: [Freeipa-users] ssh problem with migrated FreeIPA
> client on
> > EL7.1 --> Solved
> > Sent by: freeipa-users-bounces at redhat.com
> >
> >
> >
> > Hi All
> >
> > It gives me pleasure to report the problem is solved - a minute ago I was
> > able to login via ssh with my FreeIPA user to the problem server, while
> > sitting on my terrace with a glass of wine!
> >
> > Thanks to Alexander for his helpful advice - we had some mail exchange
> > outside the user list as I did not wish to broadcast content of keys,
> > config files etc.
> >
> > Regardless of what I did with commands like klist, kvno everything seemed
> > "ok", but I still could not ssh in. Even a ipa-getkeytab did not help.
> >
> > Therefore I decided to opt for brute force and (partial) ignorance. I
> > completely uninstalled the FreeIPA client, and then reinstalled,
> configured
> > - ét voilà I could ssh in!
> >
> > This leaves the enigma: what caused the problem? I suspect the following:
> >
> > The host is an EL 7.1, but the first FreeIPA client installed was version
> > 3.3.3 (installed as set of standard packages that we bung on all our
> > servers).
> >
> > This worked fine to authenticate against our "old" 3.x FreeIPA server,
> but
> > did not work against the "new" 4.1 FreeIPA Server.
> >
> > When I realised I could not ssh in, one of the first things I did was to
> > yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help.
> > The solution was to yum remove the FreeIPA client, then yum install the
> 4.1
> > client.
> >
> > I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed,
> so
> > it will be interesting to see it the problem can be reproduced.
> >
> > Keep up the good work,
> >
> > Chris
> >
> >
> >
> >
> >
> >
> >
> >
> > From: Alexander Bokovoy <abokovoy at redhat.com>
> > To: Christopher Lamb/Switzerland/IBM at IBMCH
> > Cc: freeipa-users at redhat.com
> > Date: 29.05.2015 18:04
> > Subject: Re: [Freeipa-users] ssh problem with
> migrated FreeIPA
> > client on
> > EL7.1
> >
> >
> >
> > On Fri, 29 May 2015, Christopher Lamb wrote:
> > >
> > >Hi All
> > >
> > >Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to
> replace
> > >the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
> > >across the users.
> > >
> > >We have 50 odd Servers that are FreeIPA clients. Today I started
> migrating
> > >these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
> > >server by doing an ipa-client-install --uninstall from the old, and
> > >ipa-client-install to register with the new 4.1.0 server.
> > >
> > >Most of the FreeIPA clients are running OEL 6.5, and for these the
> > >migration process above worked perfectly. After migrating the server, I
> > >could ssh in with my FreeIPA user.
> > >
> > >Then I migrated an OEL 7.1 server. The migration itself seemed to work,
> > and
> > >getent passwd was successful for my FreeIPA user. However when I try and
> > >ssh in, my FreeIPA user / password is not accepted.
> > >
> > >Before the migration I could ssh into the problem server (though
> evidently
> > >it was using my FreeIPA user from the old FreeIPA server).
> > >
> > >I can ssh in with a local (non ldap) user, so ssh is running and
> working.
> > >
> > >>From user root I can successfully su to my FreeIPA user.
> > >
> > >Further investigation showed that version of ipa-client installed was
> > >3.3.3, so I yum updated this to 4.1.0.
> > >
> > >However I still cannot ssh into the OEL 7.1 box with my FreeIPA user.
> The
> > >same user continues to work for the 6.5 boxes.
> > >
> > >A colleague tried to ssh in with his FreeIPA user, and was also
> rejected,
> > >so the problem is not my user, but is probably for all FreeIPA users.
> > >
> > >A failed ssh login attempt causes the following error
> in /var/log/messages
> > >
> > >[sssd[krb5_child[5393]]]: Decrypt integrity check failed
> > It means /etc/krb5.keytab contains keys from older system and SSSD
> > picks them up.
> > Can you show output of 'klist -kKet'?
> > --
> > / Alexander Bokovoy
> >
> >
> >
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> >
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
More information about the Freeipa-users
mailing list