[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Jakub Hrozek jhrozek at redhat.com
Wed Nov 16 09:22:07 UTC 2016 

On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote:
> 
> 
> Hello,
> 
> 
>    I am starting to see some issues with a few RHEL7 boxes I have been
> enrolling to my RHEL 6 IPA server regarding encryption.
> 
> 
> RHEL 7 client
> Red Hat Enterprise Linux Server release 7.1 (Maipo)
> sssd-ipa-1.12.2-58.el7_1.18.x86_64
> ipa-client-4.1.0-18.el7_1.4.x86_64
> 
> RHEL 6 Server
> Red Hat Enterprise Linux Server release 6.8 (Santiago)
> sssd-ipa-1.13.3-22.el6_8.4.x86_64
> ipa-server-3.0.0-50.el6.1.x86_64
> 
> 
> The RHEL 7 client shows this in messages
> 
> Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
> for encryption type

Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?

> Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
> failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> I am also not seeing host certs for them on the ipa server but I do see
> them on the local box.
> 
> [root at server1 pam.d]# ktutil

Can you run klist -ke as well to see what encryption types are included
in the keytab?

Is it possible to run "kinit -k" on the client?

> ktutil:  rkt /etc/krb5.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    1 host/server1.ipa.local at IPA.LOCAL
>    2    1 host/server1.ipa.local at IPA.LOCAL
>    3    1 host/server1.ipa.local at IPA.LOCAL
>    4    1 host/server1.ipa.local at IPA.LOCAL
> ktutil:
> 
> 
> I have one RHEL 7 box with no issues as it was just enrolled (missing host
> certs in IPA though)  and I compared and IPA ID login with a box not
> working
> Work
> type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
> hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed'
> 
> vs
> 
> Works
> type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
> exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
> res=success'
> 
> Its almost as if the pam files are not being read?
> 
> 
> 
> Sean Hogan
> 
> 
> 
> 
> 
> 




> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list