<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
"
<span style="color: rgb(42, 42, 42); font-family: 'Segoe UI', Tahoma, Verdana, Arial, sans-serif; background-color: rgb(255, 255, 255); ">Is this from the client or from the server? I bet on the server.</span>"<div><br></div><div>That is from the client. I sent a reply to Rob about the DNS, but I was under the assumption that the client was using the config files.</div><div><br></div><div>thanks</div><div>Matt<br><br><div><div id="SkyDrivePlaceholder"></div><hr id="stopSpelling">Date: Wed, 2 May 2012 14:57:24 -0400<br>From: dpal@redhat.com<br>To: matt@mldserviceslex.com<br>CC: freeipa-users@redhat.com<br>Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability<br><br>
On 05/02/2012 02:50 PM, Matthew Davidson wrote:
<blockquote cite="mid:SNT104-W395AFEBCC767D220CA34AAA32E0@phx.gbl">
<style><!--
.ExternalClass .ecx.hmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
--></style>
<div dir="ltr">
<div>
<pre class="ecxmoz-signature"><font face="Tahoma">Dmitri,</font></pre>
</div>
<div>1) Do you have admin account on IPA side?</div>
<div><br>
</div>
<div>Yes. And judging by the command below admin does log in, or
am I mistaken?</div>
<div><br>
</div>
<div>
<div>[root@rhel5 ~]# kinit admin</div>
<div>Password for <a class="ecxmoz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.COM:">admin@EXAMPLE.COM:</a></div>
<div><br>
</div>
<div>[root@rhel5 ~]# klist</div>
<div>Ticket cache: <a class="ecxmoz-txt-link-freetext" target="_blank">FILE:/tmp/krb5cc_0</a></div>
<div>Default principal: <a class="ecxmoz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a></div>
<div><br>
</div>
<div>Valid starting Expires Service principal</div>
<div>05/02/12 14:47:40 05/03/12 14:47:36
<a class="ecxmoz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a></div>
<div><br>
</div>
<div>Kerberos 4 ticket cache: /tmp/tkt0</div>
<div>klist: You have no tickets cached</div>
</div>
<div><br>
</div>
</div>
</blockquote>
<br>
Is this from the client or from the server? I bet on the server.<br>
Rob might be right that the client fails to find the right
authentication server due to the DNS configuration.<br>
<br>
<blockquote cite="mid:SNT104-W395AFEBCC767D220CA34AAA32E0@phx.gbl">
<div dir="ltr">
<div>2) Is there a firewall between client and server? Is LDAP
and LDAPS allowed via the FW?</div>
<div><br>
</div>
<div>No firewall. shut those down at the first sign of trouble.
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Matt</div>
<br>
<div>
<hr id="ecxstopSpelling">Date: Wed, 2 May 2012 13:51:15 -0400<br>
From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
To: <a class="ecxmoz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
Subject: Re: [Freeipa-users] red hat 5 and red hat 6
compatability<br>
<br>
On 05/02/2012 12:43 PM, Matthew Davidson wrote:
<blockquote cite="mid:SNT104-W49B47EEB75A9A425C0731EA32E0@phx.gbl">
<style><!--
.ExternalClass .ecx.ExternalClass .ecxecx.hmmessage P
{padding:0px;}
.ExternalClass .ecx.ExternalClass body.ecxecxhmmessage
{font-size:10pt;font-family:Tahoma;}
--></style>
<div dir="ltr">
<div>Hi Rob</div>
<div><br>
</div>
<div>[root@rhel5 ~]# ipa-client-install
--domain=EXAMPLE.COM --server=rhel6.example.com</div>
<div>DNS domain 'example.com' is not configured for
automatic KDC address lookup.</div>
<div>KDC address will be set to fixed value.</div>
<div><br>
</div>
<div>Discovery was successful!</div>
<div>Hostname: rhel6.example.com</div>
<div>Realm: EXAMPLE.COM</div>
<div>DNS Domain: EXAMPLE.COM</div>
<div>IPA Server: rhel6.example.com</div>
<div>BaseDN: dc=example,dc=com</div>
<div><br>
</div>
<div>Continue to configure the system with these values?
[no]: yes</div>
<div>User authorized to enroll computers: admin</div>
<div>Synchronizing time with KDC...</div>
<div>Password for <a class="ecxmoz-txt-link-abbreviated" href="mailto:admin@EXAMPLE.COM:">admin@EXAMPLE.COM:</a></div>
<div><br>
</div>
<div>Enrolled in IPA realm EXAMPLE.COM</div>
<div>Created /etc/ipa/default.conf</div>
<div>Configured /etc/sssd/sssd.conf</div>
<div>Configured /etc/krb5.conf for IPA realm EXAMPLE.COM</div>
<div>SSSD enabled</div>
<div><b>Unable to find 'admin' user with 'getent passwd
admin'!</b></div>
</div>
</blockquote>
<br>
1) Do you have admin account on IPA side?<br>
2) Is there a firewall between client and server? Is LDAP and
LDAPS allowed via the FW?<br>
<br>
<blockquote cite="mid:SNT104-W49B47EEB75A9A425C0731EA32E0@phx.gbl">
<div dir="ltr">
<div>Recognized configuration: SSSD</div>
<div>Changed configuration of /etc/ldap.conf to use
hardcoded server name: rhel6.example.com</div>
<div>NTP enabled</div>
<div>Client configuration complete.</div>
<div><br>
</div>
<div>/var/log/secure</div>
<div>May 2 12:31:14 rhel5 sshd[3250]: Invalid user
mdavidson from 192.168.1.5</div>
<div>May 2 12:31:14 rhel5 sshd[3251]:
input_userauth_request: invalid user mdavidson</div>
<div>May 2 12:31:19 rhel5 sshd[3250]:
pam_unix(sshd:auth): check pass; user unknown</div>
<div>May 2 12:31:19 rhel5 sshd[3250]:
pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com</div>
<div>May 2 12:31:19 rhel5 sshd[3250]:
pam_succeed_if(sshd:auth): error retrieving information
about user mdavidson</div>
<div>May 2 12:31:21 rhel5 sshd[3250]: Failed password for
invalid user mdavidson from 192.168.1.5 port 52511 ssh2</div>
<div><br>
</div>
<div>/var/log/sssd/ldap_child.log</div>
<div>(Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database</div>
<div>(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database</div>
<div>(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database</div>
<div>(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database</div>
<div>(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database</div>
<div>(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database</div>
<div><br>
</div>
<div>/var/log/sssd/sssd.log</div>
<div>(Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0):
Monitor received Terminated: terminating children</div>
<div>(Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0):
Monitor received Terminated: terminating children</div>
<div><br>
</div>
<div>thanks for helping!</div>
<div>Matt</div>
<br>
<div>> Date: Wed, 2 May 2012 11:30:52 -0400<br>
> From: <a class="ecxmoz-txt-link-abbreviated" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> To: <a class="ecxmoz-txt-link-abbreviated" href="mailto:matt@mldserviceslex.com">matt@mldserviceslex.com</a><br>
> CC: <a class="ecxmoz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
> Subject: Re: [Freeipa-users] red hat 5 and red hat
6 compatability<br>
> <br>
> Matthew Davidson wrote:<br>
> > To clarify one point.<br>
> ><br>
> > I used the current redhat documents to setup
the two systems.<br>
> ><br>
> >
Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US<br>
> ><br>
> >
Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US<br>
> ><br>
> > SSH does not seem to be discussed and that is
when I started web surfing<br>
> > in an attempt to fix my problem before
reaching out for help.<br>
> <br>
> A host service principal is created during
enrollment so no additional <br>
> work should be needed for SSH to work. The problem
you're having is <br>
> related to the fact that user lookup services are
failing.<br>
> <br>
> Can you look in /var/log/secure and/or
/var/log/sssd/* to see if there <br>
> are any errors reported regarding sssd?<br>
> <br>
> What options did you pass to ipa-client-install?<br>
> <br>
> rob<br>
</div>
</div>
<pre><fieldset class="ecxmimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="ecxmoz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="ecxmoz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="ecxmoz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
<br>
_______________________________________________
Freeipa-users mailing list
<a class="ecxmoz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="ecxmoz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
</div>
</blockquote>
<br>
<br>
<pre class="ecxmoz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="ecxmoz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre></div></div> </div></body>
</html>