I don't know why, but half of my hosts refused to talk to IPA over kerberos, even after I have re-enrolled them and put new keytabs.
I ended up dropping sssd-ipa over sssd-ldap and it is working like a charm (over LDAPS though). Frankly, debugging and working with Kerberos has been a nightmare... Now I have only ports 22, 443, and 636 open, it gives a bit more confidence in stability of the whole set up. Marat On Sat, Feb 27, 2016 at 6:32 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (24/02/16 14:28), Marat Vyshegorodtsev wrote: >>> Are you just toying with this or did something go horribly wrong and >>you're trying to restore a production environment? >> >>This. :-( >> >>I have actually rebuilt the environment from scratch, then wrote a >>perl script that just recreated all users from the ldif using ipa >>user-add and reset password for everyone. >> >>After the fresh install the following command was used for each user: >>ipa user-add --first='John' --last='Doe' --uid=1603600001 >>--gid=1603600001 --email='john....@contoso.com' --sshpubkey='ssh-rsa >><keyhere>' --random john.doe >> >>I had to force uids/gids, so that users don't lose access to their home >>folders. >> >>I have regenerated keytabs on all client hosts, but now there is some >>weird behavior is demonstrated by sssd: users intermittently fail to >>login. This is a log from a client machine (Amazon Linux 2015.09): >> >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [accept_fd_handler] (0x0400): >>Client connected! >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >>Received client version [0]. >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >>Offered version [0]. >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request] >>(0x0400): Requested domain [<ALL>] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request] >>(0x0400): Parsing name [marat.vyshegorodtsev][<ALL>] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_parse_name_for_domains] >>(0x0200): name 'marat.vyshegorodtsev' matched without domain, user is >>marat.vyshegorodtsev >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] >>(0x0400): Requesting SSH user public keys for [marat.vyshegorodtsev] >>from [<ALL>] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_issue_request] >>(0x0400): Issuing request for >>[0x40b2d0:1:marat.vyshegorodt...@contoso.com] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_account_msg] >>(0x0400): Creating request for >>[contoso.com][1][1][name=marat.vyshegorodtsev] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xb99c10 >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_internal_get_send] >>(0x0400): Entering request >>[0x40b2d0:1:marat.vyshegorodt...@contoso.com] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000): >>0xb99c10 >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000): >>Got reply from Data Provider - DP error code: 1 errno: 11 error >>message: Offline > sssd works in offline mode. > You can find reason/more details would be in different log files > (sssd_$domain.log). > > You instaled server from scratch you it might be acertificate issue > (just a wild guess). > > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project