[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly
Lukas Slebodnik
lslebodn at redhat.com
Sat Feb 27 09:32:07 UTC 2016
On (24/02/16 14:28), Marat Vyshegorodtsev wrote:
>> Are you just toying with this or did something go horribly wrong and
>you're trying to restore a production environment?
>
>This. :-(
>
>I have actually rebuilt the environment from scratch, then wrote a
>perl script that just recreated all users from the ldif using ipa
>user-add and reset password for everyone.
>
>After the fresh install the following command was used for each user:
>ipa user-add --first='John' --last='Doe' --uid=1603600001
>--gid=1603600001 --email='john.doe at contoso.com' --sshpubkey='ssh-rsa
><keyhere>' --random john.doe
>
>I had to force uids/gids, so that users don't lose access to their home folders.
>
>I have regenerated keytabs on all client hosts, but now there is some
>weird behavior is demonstrated by sssd: users intermittently fail to
>login. This is a log from a client machine (Amazon Linux 2015.09):
>
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [accept_fd_handler] (0x0400):
>Client connected!
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
>Received client version [0].
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
>Offered version [0].
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request]
>(0x0400): Requested domain [<ALL>]
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request]
>(0x0400): Parsing name [marat.vyshegorodtsev][<ALL>]
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_parse_name_for_domains]
>(0x0200): name 'marat.vyshegorodtsev' matched without domain, user is
>marat.vyshegorodtsev
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
>(0x0400): Requesting SSH user public keys for [marat.vyshegorodtsev]
>from [<ALL>]
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_issue_request]
>(0x0400): Issuing request for
>[0x40b2d0:1:marat.vyshegorodtsev at contoso.com]
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_account_msg]
>(0x0400): Creating request for
>[contoso.com][1][1][name=marat.vyshegorodtsev]
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xb99c10
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_internal_get_send]
>(0x0400): Entering request
>[0x40b2d0:1:marat.vyshegorodtsev at contoso.com]
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0xb99c10
>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000):
>Got reply from Data Provider - DP error code: 1 errno: 11 error
>message: Offline
sssd works in offline mode.
You can find reason/more details would be in different log files
(sssd_$domain.log).
You instaled server from scratch you it might be acertificate issue
(just a wild guess).
LS
More information about the Freeipa-users
mailing list