[Freeipa-users] ipa-backup and ipa-restore

Bob Hinton bob at jackland.demon.co.uk
Sat May 23 11:51:48 UTC 2015 

Hello,

I've been trying to rebuild an ipamaster by using ipa-backup, destroying
and recreating the ipamaster VM then using ipa-restore on the rebuilt
master.

Most functions of the newly built master work. Logging-in via ssh with
keys works but using passwords produces "Permission denied, please try
again".

Password attempts are logged with Authentication Failure in /var/log/secure

May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1  user=auser
May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
auser: 7 (Authentication failure)
May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
auser: 7 (Authentication failure)
May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1  user=auser
May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 
user=adminuser
May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
user=adminuser
May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
adminuser: 7 (Authentication failure)
May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
user=adminuser
May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
adminuser: 7 (Authentication failure)

I have two test users "adminuser" and "auser". I've tried various things
with auser involving kadmin.local to attempt to change the kerberos
password and "ipa user-mod auser --principal-expiration=2012-01-01Z" to
try and force the user keytab to be invalid in the hope that it would be
recreated, but this hasn't had any impact apart from slightly different
errors in /var/log/krb5kdc.log (see below).

I've also tried replacing the keytab by using " ipa-getkeytab -p
host/ipa004.test.jackland.uk at TEST.JACKLAND.UK -k temp.keytab -s
localhost" to create a new one and then copy it over /etc/krb5.keytab,
but this also didn't have any impact.

Can anyone tell me what I need to do to make ssh password authentication
work on an newly created ipamaster with ipa populated via ipa-restore ?

The VM is RHEL7.1 with the following versions of ipa-server and
ipa-client installed.

Many thanks

Bob

Name        : ipa-server
Arch        : x86_64
Version     : 4.1.0
Release     : 18.el7_1.3
Size        : 4.2 M
Repo        : installed
>From repo   : rhel-7-server-rpms
Summary     : The IPA authentication server
URL         : http://www.freeipa.org/
Licence     : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
            : user, virtual machines, groups, authentication
credentials), Policy
            : (configuration settings, access control information) and
Audit (events,
            : logs, analysis thereof). If you are installing an IPA
server you need
            : to install this package (in other words, most people
should NOT install
            : this package).

Name        : ipa-client
Arch        : x86_64
Version     : 4.1.0
Release     : 18.el7_1.3
Size        : 440 k
Repo        : installed
>From repo   : rhel-7-server-rpms
Summary     : IPA authentication for use on clients
URL         : http://www.freeipa.org/
Licence     : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
            : user, virtual machines, groups, authentication
credentials), Policy
            : (configuration settings, access control information) and
Audit (events,
            : logs, analysis thereof). If your network uses IPA for
authentication,
            : this package should be installed on every client machine.



May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
<unknown client> for <unknown server>, Decrypt integrity check failed
while handling ap-request armor
May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK, Additional pre-authentication
required
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
etypes {rep=18 tkt=18 ses=18},
host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
etypes {rep=18 tkt=18 ses=18},
host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432377170,
etypes {rep=18 tkt=18 ses=18}, admin at TEST.JACKLAND.UK for
ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
auser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
Password has expired
May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
auser at TEST.JACKLAND.UK for kadmin/changepw at TEST.JACKLAND.UK, Additional
pre-authentication required
May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
<unknown client> for <unknown server>, Decrypt integrity check failed
while handling ap-request armor
May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
auser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
Password has expired
May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
auser at TEST.JACKLAND.UK for kadmin/changepw at TEST.JACKLAND.UK, Additional
pre-authentication required
May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
<unknown client> for <unknown server>, Decrypt integrity check failed
while handling ap-request armor
May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
adminuser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
Additional pre-authentication required
May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
<unknown client> for <unknown server>, Decrypt integrity check failed
while handling ap-request armor
May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
adminuser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
Additional pre-authentication required
May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
<unknown client> for <unknown server>, Decrypt integrity check failed
while handling ap-request armor
May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
down fd 11
May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432378168,
etypes {rep=18 tkt=18 ses=18},
HTTP/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): ...
CONSTRAINED-DELEGATION s4u-client=admin at TEST.JACKLAND.UK

More information about the Freeipa-users mailing list