[Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1

[Alexander Bokovoy]

On Fri, 29 May 2015, Christopher Lamb wrote:
>
>Hi All
>
>Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace
>the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
>across the users.
>
>We have 50 odd Servers that are FreeIPA clients. Today I started migrating
>these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
>server by doing an ipa-client-install --uninstall from the old, and
>ipa-client-install to register with the new 4.1.0 server.
>
>Most of the FreeIPA clients are running OEL 6.5, and for these the
>migration process above worked perfectly. After migrating the server, I
>could ssh in with my FreeIPA user.
>
>Then I migrated an OEL 7.1 server. The migration itself seemed to work, and
>getent passwd was successful for my FreeIPA user. However when I try and
>ssh in, my FreeIPA user / password is not accepted.
>
>Before the migration I could ssh into the problem server (though evidently
>it was using my FreeIPA user from the old FreeIPA server).
>
>I can ssh in with a local (non ldap) user, so ssh is running and working.
>
>>From user root I can successfully su to my FreeIPA user.
>
>Further investigation showed that version of ipa-client installed was
>3.3.3, so I yum updated this to 4.1.0.
>
>However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The
>same user continues to work for the 6.5 boxes.
>
>A colleague tried to ssh in with his FreeIPA user, and was also rejected,
>so the problem is not my user, but is probably for all FreeIPA users.
>
>A failed ssh login attempt causes the following error in /var/log/messages
>
>[sssd[krb5_child[5393]]]: Decrypt integrity check failed
It means /etc/krb5.keytab contains keys from older system and SSSD
picks them up.
Can you show output of 'klist -kKet'?
-- 
/ Alexander Bokovoy