[Freeipa-users] Cannot login with GSSAPI to IPA client
nathan at nathanpeters.com
nathan at nathanpeters.com
Wed Jun 17 17:44:39 UTC 2015
> On Tue, Jun 16, 2015 at 04:32:31PM -0700, nathan at nathanpeters.com wrote:
>> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
>> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3
>>
>> When I try to log in using MIT kerberos and a valid ticket it works on
>> one
>> client, and fails on the other. I have compared the /etc/krb5.conf,
>> /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients
>> and
>> they are identical (other than the hostnames). I can't seem to find any
>> other difference between the clients.
>>
>> Password authentication works on both machines.
>>
>> Here is the dub log of the failed login machine (sshd)
>>
>> I think the relevant line is the very last one where it postpones the
>> login for some reason
>>
>> Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2
>
> This message is in the other log as well and I think this is ok.
>
> Have you check if the keytab on the host with issue has the latest key
> version?
>
> To check the call 'klist -k' as root on the server and then call 'kvno
> host/...' with the principal shown in the klist output. Both kvno
> numbers should be the same. If they differ call ipa-getkeytab on the
> server to get a fresh keytab. Please note that you have to call kdestory
> and kinit on the client to remove the old now invalid ticket from the
> client's credential cache.
>
> HTH
>
> bye,
> Sumit
It turns out this was something really basic.
We had multiple DNS entries for this host, and the reverse entry did not
match the DNS name I was connecting to the host with.
More information about the Freeipa-users
mailing list