[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Sean Hogan schogan at us.ibm.com
Wed Nov 16 16:14:20 UTC 2016 

Hi Jakub,

   Thanks... here is output


klist -ke
[root at server1 rusers]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 host/server1.ipa.local at IPA.LOCAL (aes256-cts-hmac-sha1-96)
   1 host/server1.ipa.local at IPA.LOCAL (aes128-cts-hmac-sha1-96)
   1 host/server1.ipa.local at IPA.LOCAL (des3-cbc-sha1)
   1 host/server1.ipa.local at IPA.LOCAL (arcfour-hmac)



  kinit -k  odd though as kinit -k seems to fail but kinit with admin seems
to work indicating I can hit the KDC even though kinit -k says I cannot?

[root at server1 pam.d]# kinit -k server1
kinit: Keytab contains no suitable keys for server1 at IPA.LOCAL while getting
initial credentials
[root at server1 pam.d]# kinit -k server1.IPA.LOCAL
kinit: Keytab contains no suitable keys for server1.IPA.LOCAL at IPA.LOCAL
while getting initial credentials
[root at server1 pam.d]# kinit admin
Password for admin at ipa.local:
[root at server1 pam.d]#
[root at server1 pam.d]# klist
Ticket cache: KEYRING:persistent:1111111111:1111111111
Default principal: admin at IPA.LOCAL

Valid starting       Expires              Service principal
11/16/2016 10:44:02  11/17/2016 10:43:54  krbtgt/IPA.LOCAL at IPA.LOCAL

[root at server1 pam.d]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    1 host/server1.ipa.local at IPA.LOCAL
   2    1 host/server1.ipa.local at IPA.LOCAL
   3    1 host/server1.ipa.local at IPA.LOCAL
   4    1 host/server1.ipa.local at IPA.LOCAL



Added debug_level = 10 on the domain section of sssd.conf and restarted is
all I see
[root at server1 sssd]# cat ldap_child.log
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type




Additonal:

[root at server1 rusers]# systemctl -l status sssd.service
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
  Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
 Main PID: 3042 (sssd)
   CGroup: /system.slice/sssd.service
           ├─3042 /usr/sbin/sssd -D -f
           ├─3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0
--gid 0 --debug-to-files
           ├─3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
--debug-to-files
           ├─3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files
           ├─3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
--debug-to-files
           ├─3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
--debug-to-files
           └─3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
--debug-to-files

Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
integrity check failed. Unable to create GSSAPI-encrypted LDAP connection.
[root at server1 rusers]#

Seeing this in /var/log/sssd/sssd_ipa.local.log

(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could not
initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab [default]:
Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!

This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name.  We have over 2k
servers showing the UID name/GID name with no issues.. just the boxes
having this issue.



Sean Hogan









From:	Jakub Hrozek <jhrozek at redhat.com>
To:	freeipa-users at redhat.com
Date:	11/16/2016 02:29 AM
Subject:	Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Sent by:	freeipa-users-bounces at redhat.com



On Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote:
>
>
> Hello,
>
>
>    I am starting to see some issues with a few RHEL7 boxes I have been
> enrolling to my RHEL 6 IPA server regarding encryption.
>
>
> RHEL 7 client
> Red Hat Enterprise Linux Server release 7.1 (Maipo)
> sssd-ipa-1.12.2-58.el7_1.18.x86_64
> ipa-client-4.1.0-18.el7_1.4.x86_64
>
> RHEL 6 Server
> Red Hat Enterprise Linux Server release 6.8 (Santiago)
> sssd-ipa-1.13.3-22.el6_8.4.x86_64
> ipa-server-3.0.0-50.el6.1.x86_64
>
>
> The RHEL 7 client shows this in messages
>
> Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
> for encryption type

Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?

> Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
> failed. Unable to create GSSAPI-encrypted LDAP connection.
>
> I am also not seeing host certs for them on the ipa server but I do see
> them on the local box.
>
> [root at server1 pam.d]# ktutil

Can you run klist -ke as well to see what encryption types are included
in the keytab?

Is it possible to run "kinit -k" on the client?

> ktutil:  rkt /etc/krb5.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    1 host/server1.ipa.local at IPA.LOCAL
>    2    1 host/server1.ipa.local at IPA.LOCAL
>    3    1 host/server1.ipa.local at IPA.LOCAL
>    4    1 host/server1.ipa.local at IPA.LOCAL
> ktutil:
>
>
> I have one RHEL 7 box with no issues as it was just enrolled (missing
host
> certs in IPA though)  and I compared and IPA ID login with a box not
> working
> NOT Work
> type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
> auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
> hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
>
> vs
>
> Works
> type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
> auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
> exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
> res=success'
>
> Its almost as if the pam files are not being read?
>
>
>
> Sean Hogan
>
>
>
>
>
>




> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161116/1cb19001/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0C304740.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161116/1cb19001/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0C635313.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161116/1cb19001/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161116/1cb19001/attachment-0001.gif>

More information about the Freeipa-users mailing list