[Freeipa-users] ipa-backup and ipa-restore

Bob Hinton bob at jackland.demon.co.uk
Mon May 25 09:00:27 UTC 2015 

Hi Martin,

Yes. This fixes the problem on a newly recreated ipamaster - it didn't
work on the one I'd been playing around with.

So the complete rebuild sequence was...

1) On old ipamaster VM ipa004 (did this on 22/05/2015)
     login as an admin user with sudo to root access
     sudo -i
     ipa-backup
     tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup
     scp ipa004_backups_22052015.tgz to a backup system, destroy old
ipamaster VM

2) Recreate ipamaster VM (identical configuration to original)
    From backup system -
    scp ipa004_backups_22052015.tgz admin at ipa004:
    ssh admin at ipa004
    su                         (enter root password - no users with sudo
access exist yet)
    tar xvfPz ipa004_backups_22052015.tgz
    ipa-restore ipa-full-2015-05-22-17-28-01
    systemctl stop sssd
    rm -f /var/lib/sss/db/*
    systemctl start sssd

Many thanks

Bob

On 25/05/2015 07:10, Martin Kosek wrote:
> On 05/23/2015 01:51 PM, Bob Hinton wrote:
>> Hello,
>>
>> I've been trying to rebuild an ipamaster by using ipa-backup, destroying
>> and recreating the ipamaster VM then using ipa-restore on the rebuilt
>> master.
>>
>> Most functions of the newly built master work. Logging-in via ssh with
>> keys works but using passwords produces "Permission denied, please try
>> again".
>>
>> Password attempts are logged with Authentication Failure in /var/log/secure
>>
>> May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1  user=auser
>> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
>> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
>> auser: 7 (Authentication failure)
>> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
>> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
>> auser: 7 (Authentication failure)
>> May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1  user=auser
>> May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 
>> user=adminuser
>> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
>> user=adminuser
>> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
>> adminuser: 7 (Authentication failure)
>> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
>> user=adminuser
>> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
>> adminuser: 7 (Authentication failure)
>>
>> I have two test users "adminuser" and "auser". I've tried various things
>> with auser involving kadmin.local to attempt to change the kerberos
>> password and "ipa user-mod auser --principal-expiration=2012-01-01Z" to
>> try and force the user keytab to be invalid in the hope that it would be
>> recreated, but this hasn't had any impact apart from slightly different
>> errors in /var/log/krb5kdc.log (see below).
>>
>> I've also tried replacing the keytab by using " ipa-getkeytab -p
>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK -k temp.keytab -s
>> localhost" to create a new one and then copy it over /etc/krb5.keytab,
>> but this also didn't have any impact.
>>
>> Can anyone tell me what I need to do to make ssh password authentication
>> work on an newly created ipamaster with ipa populated via ipa-restore ?
>>
>> The VM is RHEL7.1 with the following versions of ipa-server and
>> ipa-client installed.
>>
>> Many thanks
>>
>> Bob
>>
>> Name        : ipa-server
>> Arch        : x86_64
>> Version     : 4.1.0
>> Release     : 18.el7_1.3
>> Size        : 4.2 M
>> Repo        : installed
>> >From repo   : rhel-7-server-rpms
>> Summary     : The IPA authentication server
>> URL         : http://www.freeipa.org/
>> Licence     : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>>             : user, virtual machines, groups, authentication
>> credentials), Policy
>>             : (configuration settings, access control information) and
>> Audit (events,
>>             : logs, analysis thereof). If you are installing an IPA
>> server you need
>>             : to install this package (in other words, most people
>> should NOT install
>>             : this package).
>>
>> Name        : ipa-client
>> Arch        : x86_64
>> Version     : 4.1.0
>> Release     : 18.el7_1.3
>> Size        : 440 k
>> Repo        : installed
>> >From repo   : rhel-7-server-rpms
>> Summary     : IPA authentication for use on clients
>> URL         : http://www.freeipa.org/
>> Licence     : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>>             : user, virtual machines, groups, authentication
>> credentials), Policy
>>             : (configuration settings, access control information) and
>> Audit (events,
>>             : logs, analysis thereof). If your network uses IPA for
>> authentication,
>>             : this package should be installed on every client machine.
>>
>>
>>
>> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>> <unknown client> for <unknown server>, Decrypt integrity check failed
>> while handling ap-request armor
>> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>> krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK, Additional pre-authentication
>> required
>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
>> etypes {rep=18 tkt=18 ses=18},
>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>> krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK
>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
>> etypes {rep=18 tkt=18 ses=18},
>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>> ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432377170,
>> etypes {rep=18 tkt=18 ses=18}, admin at TEST.JACKLAND.UK for
>> ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
>> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
>> auser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>> Password has expired
>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>> auser at TEST.JACKLAND.UK for kadmin/changepw at TEST.JACKLAND.UK, Additional
>> pre-authentication required
>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>> <unknown client> for <unknown server>, Decrypt integrity check failed
>> while handling ap-request armor
>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
>> auser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>> Password has expired
>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>> auser at TEST.JACKLAND.UK for kadmin/changepw at TEST.JACKLAND.UK, Additional
>> pre-authentication required
>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>> <unknown client> for <unknown server>, Decrypt integrity check failed
>> while handling ap-request armor
>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>> adminuser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>> Additional pre-authentication required
>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>> <unknown client> for <unknown server>, Decrypt integrity check failed
>> while handling ap-request armor
>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>> adminuser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>> Additional pre-authentication required
>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>> <unknown client> for <unknown server>, Decrypt integrity check failed
>> while handling ap-request armor
>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>> down fd 11
>> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432378168,
>> etypes {rep=18 tkt=18 ses=18},
>> HTTP/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>> ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
>> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): ...
>> CONSTRAINED-DELEGATION s4u-client=admin at TEST.JACKLAND.UK
>>
>
> This log strange:
>
>> <unknown client> for <unknown server>, Decrypt integrity check failed
>> while handling ap-request armor
> I assume SSSD's attempts generate this log. Would stopping SSSD, cleaning it's
> caches (including fast ccache) in /var/lib/sss/db/ and starting again help?
> .
>

More information about the Freeipa-users mailing list