On Thu, Sep 29, 2016 at 10:03:08PM -0400, beeth beeth wrote: > Thanks Florence and Rob! The replica worked after adding the certs during > the replica preparation. > > Now I got several IPA clients installed with user authentication(ssh login > with the users in IPA) working after some work. However, one of them failed > during login with the following messages in syslog: > > Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Credentials cache > permissions incorrect
This is RHEL-7, right? Then I'm not sure why would ccache permissions be incorrect, maybe except for an SELinux issue.. (you are using the KEYRING ccache, right?) > Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity > check failed > Sep 29 21:41:13 ipaclient3 [sssd[krb5_child[2527]]]: Decrypt integrity > check failed These two mean a wrong password was supplied. You can enable sssd debugging and take a look into krb5_child.log. If you crank up the debug_level all the way up to 10, then you'll also see KRB5_TRACE-level messages.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project