Hi There, I have successfully set up and running freeipa in my environment.
I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47 This set up works fine for majority of servers. But just on one host I am unable to authenticate the users. it gives me password denied Below is the error from /var/log/secure Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13 user=q-testuser Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213 user=q-testuser Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for user q-testuser: 4 (System error) and in my krb5_child.log, i see the below lines, (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400): krb5_child started. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] (0x1000): total buffer size: [171] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] (0x0100): cmd [241] uid [1142000001] gid [1142000001] validate [true] enterprise principal [false] offline [false] UPN [q-testu...@xyz.com] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1142000001_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1142000001_RjJBN2] keytab: [/etc/krb5.keytab] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds] (0x0200): Switch user to [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1142000001_RjJBN2] and is not active and TGT is valid. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2...@xyz.com] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ 10.2.2...@xyz.com in keytab. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [match_principal] (0x1000): Principal matched to the sample (host/10.2.2...@xyz.com). (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [become_user] (0x0200): Trying to become user [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x2000): Running as [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup] (0x2000): Running as [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400): Will perform online auth (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [XYZ.COM] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting initial credentials for q-testu...@xyz.com (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving host/10.2.2...@xyz.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM \@XYZ.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with result: -1765328243/Matching credential not found (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending request (185 bytes) to XYZ.COM (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating TCP connection to stream 10.0.4.175:88 (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP request to stream 10. krb5_child.log (END) can someone please advice , what seems to go wrong here. Thanks, Rakesh
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project