[Freeipa-users] ipa-backup and ipa-restore
Martin Kosek
mkosek at redhat.com
Mon May 25 10:37:39 UTC 2015
Good, thanks for confirmation. I filed Bugzilla to add this information to the
IPA guide:
https://bugzilla.redhat.com/show_bug.cgi?id=1224682
Please feel free to add any useful information you would like to see in the
guide to the Bugzilla comment.
Thank you,
Martin
On 05/25/2015 11:00 AM, Bob Hinton wrote:
> Hi Martin,
>
> Yes. This fixes the problem on a newly recreated ipamaster - it didn't
> work on the one I'd been playing around with.
>
> So the complete rebuild sequence was...
>
> 1) On old ipamaster VM ipa004 (did this on 22/05/2015)
> login as an admin user with sudo to root access
> sudo -i
> ipa-backup
> tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup
> scp ipa004_backups_22052015.tgz to a backup system, destroy old
> ipamaster VM
>
> 2) Recreate ipamaster VM (identical configuration to original)
> From backup system -
> scp ipa004_backups_22052015.tgz admin at ipa004:
> ssh admin at ipa004
> su (enter root password - no users with sudo
> access exist yet)
> tar xvfPz ipa004_backups_22052015.tgz
> ipa-restore ipa-full-2015-05-22-17-28-01
> systemctl stop sssd
> rm -f /var/lib/sss/db/*
> systemctl start sssd
>
> Many thanks
>
> Bob
>
> On 25/05/2015 07:10, Martin Kosek wrote:
>> On 05/23/2015 01:51 PM, Bob Hinton wrote:
>>> Hello,
>>>
>>> I've been trying to rebuild an ipamaster by using ipa-backup, destroying
>>> and recreating the ipamaster VM then using ipa-restore on the rebuilt
>>> master.
>>>
>>> Most functions of the newly built master work. Logging-in via ssh with
>>> keys works but using passwords produces "Permission denied, please try
>>> again".
>>>
>>> Password attempts are logged with Authentication Failure in /var/log/secure
>>>
>>> May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
>>> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
>>> May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
>>> auser: 7 (Authentication failure)
>>> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
>>> May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user
>>> auser: 7 (Authentication failure)
>>> May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser
>>> May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
>>> user=adminuser
>>> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
>>> user=adminuser
>>> May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
>>> adminuser: 7 (Authentication failure)
>>> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1
>>> user=adminuser
>>> May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user
>>> adminuser: 7 (Authentication failure)
>>>
>>> I have two test users "adminuser" and "auser". I've tried various things
>>> with auser involving kadmin.local to attempt to change the kerberos
>>> password and "ipa user-mod auser --principal-expiration=2012-01-01Z" to
>>> try and force the user keytab to be invalid in the hope that it would be
>>> recreated, but this hasn't had any impact apart from slightly different
>>> errors in /var/log/krb5kdc.log (see below).
>>>
>>> I've also tried replacing the keytab by using " ipa-getkeytab -p
>>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK -k temp.keytab -s
>>> localhost" to create a new one and then copy it over /etc/krb5.keytab,
>>> but this also didn't have any impact.
>>>
>>> Can anyone tell me what I need to do to make ssh password authentication
>>> work on an newly created ipamaster with ipa populated via ipa-restore ?
>>>
>>> The VM is RHEL7.1 with the following versions of ipa-server and
>>> ipa-client installed.
>>>
>>> Many thanks
>>>
>>> Bob
>>>
>>> Name : ipa-server
>>> Arch : x86_64
>>> Version : 4.1.0
>>> Release : 18.el7_1.3
>>> Size : 4.2 M
>>> Repo : installed
>>> >From repo : rhel-7-server-rpms
>>> Summary : The IPA authentication server
>>> URL : http://www.freeipa.org/
>>> Licence : GPLv3+
>>> Description : IPA is an integrated solution to provide centrally managed
>>> Identity (machine,
>>> : user, virtual machines, groups, authentication
>>> credentials), Policy
>>> : (configuration settings, access control information) and
>>> Audit (events,
>>> : logs, analysis thereof). If you are installing an IPA
>>> server you need
>>> : to install this package (in other words, most people
>>> should NOT install
>>> : this package).
>>>
>>> Name : ipa-client
>>> Arch : x86_64
>>> Version : 4.1.0
>>> Release : 18.el7_1.3
>>> Size : 440 k
>>> Repo : installed
>>> >From repo : rhel-7-server-rpms
>>> Summary : IPA authentication for use on clients
>>> URL : http://www.freeipa.org/
>>> Licence : GPLv3+
>>> Description : IPA is an integrated solution to provide centrally managed
>>> Identity (machine,
>>> : user, virtual machines, groups, authentication
>>> credentials), Policy
>>> : (configuration settings, access control information) and
>>> Audit (events,
>>> : logs, analysis thereof). If your network uses IPA for
>>> authentication,
>>> : this package should be installed on every client machine.
>>>
>>>
>>>
>>> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>>> <unknown client> for <unknown server>, Decrypt integrity check failed
>>> while handling ap-request armor
>>> May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>>> krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK, Additional pre-authentication
>>> required
>>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
>>> etypes {rep=18 tkt=18 ses=18},
>>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>>> krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK
>>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432379419,
>>> etypes {rep=18 tkt=18 ses=18},
>>> host/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>>> ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
>>> May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432377170,
>>> etypes {rep=18 tkt=18 ses=18}, admin at TEST.JACKLAND.UK for
>>> ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
>>> May 23 12:11:30 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
>>> auser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>>> Password has expired
>>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>>> auser at TEST.JACKLAND.UK for kadmin/changepw at TEST.JACKLAND.UK, Additional
>>> pre-authentication required
>>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>>> <unknown client> for <unknown server>, Decrypt integrity check failed
>>> while handling ap-request armor
>>> May 23 12:17:10 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: CLIENT KEY EXPIRED:
>>> auser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>>> Password has expired
>>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>>> auser at TEST.JACKLAND.UK for kadmin/changepw at TEST.JACKLAND.UK, Additional
>>> pre-authentication required
>>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>>> <unknown client> for <unknown server>, Decrypt integrity check failed
>>> while handling ap-request armor
>>> May 23 12:17:17 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>>> adminuser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>>> Additional pre-authentication required
>>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>>> <unknown client> for <unknown server>, Decrypt integrity check failed
>>> while handling ap-request armor
>>> May 23 12:17:33 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH:
>>> adminuser at TEST.JACKLAND.UK for krbtgt/TEST.JACKLAND.UK at TEST.JACKLAND.UK,
>>> Additional pre-authentication required
>>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST:
>>> <unknown client> for <unknown server>, Decrypt integrity check failed
>>> while handling ap-request armor
>>> May 23 12:17:38 ipa004.test.jackland.uk krb5kdc[2724](info): closing
>>> down fd 11
>>> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): TGS_REQ (6
>>> etypes {18 17 16 23 25 26}) 172.16.128.159: ISSUE: authtime 1432378168,
>>> etypes {rep=18 tkt=18 ses=18},
>>> HTTP/ipa004.test.jackland.uk at TEST.JACKLAND.UK for
>>> ldap/ipa004.test.jackland.uk at TEST.JACKLAND.UK
>>> May 23 12:19:07 ipa004.test.jackland.uk krb5kdc[2724](info): ...
>>> CONSTRAINED-DELEGATION s4u-client=admin at TEST.JACKLAND.UK
>>>
>>
>> This log strange:
>>
>>> <unknown client> for <unknown server>, Decrypt integrity check failed
>>> while handling ap-request armor
>> I assume SSSD's attempts generate this log. Would stopping SSSD, cleaning it's
>> caches (including fast ccache) in /var/lib/sss/db/ and starting again help?
>> .
>>
>
More information about the Freeipa-users
mailing list