On 05/02/2012 02:50 PM, Matthew Davidson wrote: > Dmitri, > 1) Do you have admin account on IPA side? > > Yes. And judging by the command below admin does log in, or am I mistaken? > > [root@rhel5 ~]# kinit admin > Password for ad...@example.com: > > [root@rhel5 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: ad...@example.com > > Valid starting Expires Service principal > 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/example....@example.com > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached >
Is this from the client or from the server? I bet on the server. Rob might be right that the client fails to find the right authentication server due to the DNS configuration. > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > No firewall. shut those down at the first sign of trouble. > > Thanks > Matt > > ------------------------------------------------------------------------ > Date: Wed, 2 May 2012 13:51:15 -0400 > From: d...@redhat.com > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > Hi Rob > > [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > --server=rhel6.example.com > DNS domain 'example.com' is not configured for automatic KDC > address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: rhel6.example.com > Realm: EXAMPLE.COM > DNS Domain: EXAMPLE.COM > IPA Server: rhel6.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for ad...@example.com: <mailto:ad...@example.com:> > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > SSSD enabled > *Unable to find 'admin' user with 'getent passwd admin'!* > > > 1) Do you have admin account on IPA side? > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded server > name: rhel6.example.com > NTP enabled > Client configuration complete. > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from > 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid > user mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; > user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=rhel6.example.com > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > mdavidson from 192.168.1.5 port 52511 ssh2 > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor > received Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor > received Terminated: terminating children > > thanks for helping! > Matt > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > From: rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > To: m...@mldserviceslex.com <mailto:m...@mldserviceslex.com> > > CC: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > Matthew Davidson wrote: > > > To clarify one point. > > > > > > I used the current redhat documents to setup the two systems. > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > SSH does not seem to be discussed and that is when I started > web surfing > > > in an attempt to fix my problem before reaching out for help. > > > > A host service principal is created during enrollment so no > additional > > work should be needed for SSH to work. The problem you're having is > > related to the fact that user lookup services are failing. > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if > there > > are any errors reported regarding sssd? > > > > What options did you pass to ipa-client-install? > > > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > _______________________________________________ Freeipa-users mailing > list Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users