[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly
Marat Vyshegorodtsev
marat.vyshegorodtsev at gmail.com
Wed Apr 13 07:47:24 UTC 2016
I don't know why, but half of my hosts refused to talk to IPA over
kerberos, even after I have re-enrolled them and put new keytabs.
I ended up dropping sssd-ipa over sssd-ldap and it is working like a
charm (over LDAPS though).
Frankly, debugging and working with Kerberos has been a nightmare...
Now I have only ports 22, 443, and 636 open, it gives a bit more
confidence in stability of the whole set up.
Marat
On Sat, Feb 27, 2016 at 6:32 PM, Lukas Slebodnik <lslebodn at redhat.com> wrote:
> On (24/02/16 14:28), Marat Vyshegorodtsev wrote:
>>> Are you just toying with this or did something go horribly wrong and
>>you're trying to restore a production environment?
>>
>>This. :-(
>>
>>I have actually rebuilt the environment from scratch, then wrote a
>>perl script that just recreated all users from the ldif using ipa
>>user-add and reset password for everyone.
>>
>>After the fresh install the following command was used for each user:
>>ipa user-add --first='John' --last='Doe' --uid=1603600001
>>--gid=1603600001 --email='john.doe at contoso.com' --sshpubkey='ssh-rsa
>><keyhere>' --random john.doe
>>
>>I had to force uids/gids, so that users don't lose access to their home folders.
>>
>>I have regenerated keytabs on all client hosts, but now there is some
>>weird behavior is demonstrated by sssd: users intermittently fail to
>>login. This is a log from a client machine (Amazon Linux 2015.09):
>>
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [accept_fd_handler] (0x0400):
>>Client connected!
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
>>Received client version [0].
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
>>Offered version [0].
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request]
>>(0x0400): Requested domain [<ALL>]
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request]
>>(0x0400): Parsing name [marat.vyshegorodtsev][<ALL>]
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_parse_name_for_domains]
>>(0x0200): name 'marat.vyshegorodtsev' matched without domain, user is
>>marat.vyshegorodtsev
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
>>(0x0400): Requesting SSH user public keys for [marat.vyshegorodtsev]
>>from [<ALL>]
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_issue_request]
>>(0x0400): Issuing request for
>>[0x40b2d0:1:marat.vyshegorodtsev at contoso.com]
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_account_msg]
>>(0x0400): Creating request for
>>[contoso.com][1][1][name=marat.vyshegorodtsev]
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xb99c10
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_internal_get_send]
>>(0x0400): Entering request
>>[0x40b2d0:1:marat.vyshegorodtsev at contoso.com]
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0xb99c10
>>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000):
>>Got reply from Data Provider - DP error code: 1 errno: 11 error
>>message: Offline
> sssd works in offline mode.
> You can find reason/more details would be in different log files
> (sssd_$domain.log).
>
> You instaled server from scratch you it might be acertificate issue
> (just a wild guess).
>
> LS
More information about the Freeipa-users
mailing list