[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Sean Hogan schogan at us.ibm.com
Wed Nov 16 02:24:38 UTC 2016 


Hello,


   I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.


RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64

RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64


The RHEL 7 client shows this in messages

Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.

I am also not seeing host certs for them on the ipa server but I do see
them on the local box.

[root at server1 pam.d]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    1 host/server1.ipa.local at IPA.LOCAL
   2    1 host/server1.ipa.local at IPA.LOCAL
   3    1 host/server1.ipa.local at IPA.LOCAL
   4    1 host/server1.ipa.local at IPA.LOCAL
ktutil:


I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though)  and I compared and IPA ID login with a box not
working
Work
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed'

vs

Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'

Its almost as if the pam files are not being read?



Sean Hogan






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161115/eaeaff6d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0D184914.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161115/eaeaff6d/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0D992031.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161115/eaeaff6d/attachment.gif>

More information about the Freeipa-users mailing list