[Freeipa-users] Troubleshooting SSO

Tue Mar 31 14:02:37 UTC 2015

Klist in Windows showed one ticket for the IPA domain.

#0>	Client: adm-faru03 @ test.osuwmc
	Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
	Ticket Flags 0x40a40000 -> forward able renewable pre_authent
ok_as_delegate
	Start Time: 3/31/2015: 9:29:25 (local)
	End Time:   3/31/2015: 15:28:22 (local)
	Session Key Type: AES-256-CTS-HMAC-SHA1-96

IPA and SSSD are:
ipa-server.x86_64  
4.1.0-18.el7_1.3
sssd.x86_64        
1.12.2-58.el7_1.6.1

Kinit adm-faru03 at TEST.OSUWMC was telling. Once it reported ³kinit: KDC
reply did not match expectations while getting initial credentials². We
waited a minute or two (were discussing results) and tried again just
adding the -V flag and it worked.

Kvno host/mid-ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC = 2

Verbose logging in putty gave the following error:

On 3/31/15, 3:30 AM, "Sumit Bose" <sbose at redhat.com> wrote:

>
>Can you do the follwoing checks:
>
>Can you check by calling klist in a Windows Command window if you got
>                  
>                  
>a proper host/... ticket for the IPA host?
>                  
>                  
>                  
>                  
>                  
>What version of IPA and SSSD are you using.
>                  
>                  
>                  
>                  
>                  
>Can you check if the following works on a IPA host:
>                  
>                  
>                  
>                  
>                  
>kinit adm-faru03 at TEST.OSUWMC
>                  
>                  
>kvno host/name.of.the.ipa-client.to.login at IPA.REALM
>                  
>                  
>ssh -v -l adm-faru03 at test.osuwmc name.of.the.ipa-client.to.login
>                  
>                                          