[Freeipa-users] ssh problem with migrated FreeIPA client on EL7.1 --> Solved

Christopher Lamb christopher.lamb at ch.ibm.com
Sat May 30 16:50:45 UTC 2015 

Hi All

It gives me pleasure to report the problem is solved - a minute ago I was
able to login via ssh with my FreeIPA user to the problem server, while
sitting on my terrace with a glass of wine!

Thanks to Alexander for his helpful advice - we had some mail exchange
outside the user list as I did not wish to broadcast content of keys,
config files etc.

Regardless of what I did with commands like klist, kvno everything seemed
"ok", but I still could not ssh in. Even a ipa-getkeytab did not help.

Therefore I decided to opt for brute force and (partial) ignorance. I
completely uninstalled the FreeIPA client, and then reinstalled, configured
- ét voilà I could ssh in!

This leaves the enigma: what caused the problem? I suspect the following:

The host is an EL 7.1, but the first FreeIPA client installed was version
3.3.3 (installed as set of standard packages that we bung on all our
servers).

This worked fine to authenticate against our "old" 3.x FreeIPA server, but
did not work against the "new" 4.1 FreeIPA Server.

When I realised I could not ssh in, one of the first things I did was to
yum update the FreeIPA client from 3.3.3 to 4.1 - but that did not help.
The solution was to yum remove the FreeIPA client, then yum install the 4.1
client.

I have some more EL 7.1 servers with the FreeIPA 3.3.3 client installed, so
it will be interesting to see it the problem can be reproduced.

Keep up the good work,

Chris








From:	Alexander Bokovoy <abokovoy at redhat.com>
To:	Christopher Lamb/Switzerland/IBM at IBMCH
Cc:	freeipa-users at redhat.com
Date:	29.05.2015 18:04
Subject:	Re: [Freeipa-users] ssh problem with migrated FreeIPA client on
            EL7.1



On Fri, 29 May 2015, Christopher Lamb wrote:
>
>Hi All
>
>Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace
>the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
>across the users.
>
>We have 50 odd Servers that are FreeIPA clients. Today I started migrating
>these one-by-one from the old FreeIPA 3.x server to the new FreeIPA 4
>server by doing an ipa-client-install --uninstall from the old, and
>ipa-client-install to register with the new 4.1.0 server.
>
>Most of the FreeIPA clients are running OEL 6.5, and for these the
>migration process above worked perfectly. After migrating the server, I
>could ssh in with my FreeIPA user.
>
>Then I migrated an OEL 7.1 server. The migration itself seemed to work,
and
>getent passwd was successful for my FreeIPA user. However when I try and
>ssh in, my FreeIPA user / password is not accepted.
>
>Before the migration I could ssh into the problem server (though evidently
>it was using my FreeIPA user from the old FreeIPA server).
>
>I can ssh in with a local (non ldap) user, so ssh is running and working.
>
>>From user root I can successfully su to my FreeIPA user.
>
>Further investigation showed that version of ipa-client installed was
>3.3.3, so I yum updated this to 4.1.0.
>
>However I still cannot ssh into the OEL 7.1 box with my FreeIPA user. The
>same user continues to work for the 6.5 boxes.
>
>A colleague tried to ssh in with his FreeIPA user, and was also rejected,
>so the problem is not my user, but is probably for all FreeIPA users.
>
>A failed ssh login attempt causes the following error in /var/log/messages
>
>[sssd[krb5_child[5393]]]: Decrypt integrity check failed
It means /etc/krb5.keytab contains keys from older system and SSSD
picks them up.
Can you show output of 'klist -kKet'?
--
/ Alexander Bokovoy

More information about the Freeipa-users mailing list