[Freeipa-users] Install IPA Servers with third-party certificate(external CA)
Jakub Hrozek
jhrozek at redhat.com
Fri Sep 30 06:59:38 UTC 2016
On Thu, Sep 29, 2016 at 10:03:08PM -0400, beeth beeth wrote:
> Thanks Florence and Rob! The replica worked after adding the certs during
> the replica preparation.
>
> Now I got several IPA clients installed with user authentication(ssh login
> with the users in IPA) working after some work. However, one of them failed
> during login with the following messages in syslog:
>
> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Credentials cache
> permissions incorrect
This is RHEL-7, right? Then I'm not sure why would ccache permissions be
incorrect, maybe except for an SELinux issue.. (you are using the KEYRING
ccache, right?)
> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
> check failed
> Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity
> check failed
These two mean a wrong password was supplied.
You can enable sssd debugging and take a look into krb5_child.log. If
you crank up the debug_level all the way up to 10, then you'll also see
KRB5_TRACE-level messages..
More information about the Freeipa-users
mailing list