Matthew Davidson wrote:
Hi Rob
[root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
--server=rhel6.example.com
DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: rhel6.example.com
Realm: EXAMPLE.COM
DNS Domain: EXAMPLE.COM
IPA Server: rhel6.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@example.com:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
*Unable to find 'admin' user with 'getent passwd admin'!*
Recognized configuration: SSSD
Changed configuration of /etc/ldap.conf to use hardcoded server name:
rhel6.example.com
NTP enabled
Client configuration complete.
/var/log/secure
May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5
May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user
mdavidson
May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user
unknown
May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com
May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error
retrieving information about user mdavidson
May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user
mdavidson from 192.168.1.5 port 52511 ssh2
/var/log/sssd/ldap_child.log
(Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
This is the key. sssd can't connect to the IPA server due to this
Kerberos error which is why the user information is unavailable.
Am I right to to assume you have another Kerberos server (or AD)
configured using the same realm name on your network? I have the feeling
sssd is finding the wrong KDC.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
