[Freeipa-users] Re: ERR - attrlist_replace - attr_replace (nsslapd-referral,
Any ideas, anyone? On Tue, 31 Jul 2018 at 13:22, James Harrison via FreeIPA-users wrote: Hello, We have a machine with the following set up: CentOS Linux release 7.4.1708 (Core)ipa-server-4.5.0-21.el7.centos.2.2.x86_64 CA-less setup We're getting a lot of errors on one of our FreeIPA servers. Hope you can help. Many thanksJames Harrison [31/Jul/2018:12:19:05.542401358 +0100] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jul/2018:12:19:05.611267011 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:05.613868420 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:05.634974836 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [31/Jul/2018:12:19:05.646685174 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/pul-system-01.DOMAINNAME@DOMAINNAME] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [31/Jul/2018:12:19:05.657290290 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jul/2018:12:19:05.660478907 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [31/Jul/2018:12:19:05.664268080 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-INT-DOMAIN-COM.socket for LDAPI requests [31/Jul/2018:12:19:05.712942138 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" (pul-system-02:389) - Replication bind with GSSAPI auth failed: LDAP error -6 (Unknown authentication method) (SASL(-4): no mechanism available: No worthy mechs found) [31/Jul/2018:12:19:08.916600270 +0100] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" (pul-system-02:389): Replication bind with GSSAPI auth resumed [31/Jul/2018:12:19:11.139026788 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=int,dc=DOMAIN,dc=com [31/Jul/2018:12:19:11.143128988 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. [31/Jul/2018:12:19:26.258468102 +0100] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing [31/Jul/2018:12:19:26.261488755 +0100] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: cannot create replica [31/Jul/2018:12:19:41.405312942 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:41.407352984 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:41.409312145 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:44.484329977 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:44.489032389 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:44.490775486 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:46.882743610 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:46.887246145 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:46.889667896 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/74AVLHM4KQ3NT67RGABKUJOL4CTCLW6X/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send
[Freeipa-users] ERR - attrlist_replace - attr_replace (nsslapd-referral,
Hello, We have a machine with the following set up: CentOS Linux release 7.4.1708 (Core)ipa-server-4.5.0-21.el7.centos.2.2.x86_64 CA-less setup We're getting a lot of errors on one of our FreeIPA servers. Hope you can help. Many thanksJames Harrison [31/Jul/2018:12:19:05.542401358 +0100] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jul/2018:12:19:05.611267011 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:05.613868420 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:05.634974836 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [31/Jul/2018:12:19:05.646685174 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/pul-system-01.DOMAINNAME@DOMAINNAME] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [31/Jul/2018:12:19:05.657290290 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jul/2018:12:19:05.660478907 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [31/Jul/2018:12:19:05.664268080 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-INT-DOMAIN-COM.socket for LDAPI requests [31/Jul/2018:12:19:05.712942138 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" (pul-system-02:389) - Replication bind with GSSAPI auth failed: LDAP error -6 (Unknown authentication method) (SASL(-4): no mechanism available: No worthy mechs found) [31/Jul/2018:12:19:08.916600270 +0100] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=pul-system-01.DOMAINNAME-to-pul-system-02.DOMAINNAME" (pul-system-02:389): Replication bind with GSSAPI auth resumed [31/Jul/2018:12:19:11.139026788 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=int,dc=DOMAIN,dc=com [31/Jul/2018:12:19:11.143128988 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. [31/Jul/2018:12:19:26.258468102 +0100] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing [31/Jul/2018:12:19:26.261488755 +0100] - ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: cannot create replica [31/Jul/2018:12:19:41.405312942 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:41.407352984 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:41.409312145 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://cro-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:44.484329977 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:44.489032389 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:44.490775486 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:46.882743610 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:46.887246145 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. [31/Jul/2018:12:19:46.889667896 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://hk-system-02.DOMAINNAME:389/dc%3Dint%2Cdc%3DDOMAIN%2Cdc%3Dcom) failed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/74AVLHM4KQ3NT67RGABKUJOL4CTCLW6X/
[Freeipa-users] Re: Freeipa connecting to Redhat IPA server.
Hi,How much RAM does the FreeIPA server have? Thanks On Friday, 15 December 2017, 04:17:52 GMT, Tony Delov via FreeIPA-userswrote: I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD server. Ssh authentications are pretty slow, however, once I do get on, I find sudo commands often do not work for several minutes saying I am not in the "not in the sudoers file.". This is even though, I am in the same group on the access.conf file and a sudoers file. I think the initial slowness is due to the fact that our AD system has lots of groups and I am part of many large groups with many users. I've been checking the sssd cache file, and I can see that ssh authentication does not even start until almost all groups I am a member of have been added to the cache. However, that does not explain why sudo is being delayed as the groups are already cached. Has anyone got any advice about setting up a freeipa-client on Ubuntu to connect to a Redhat IPA server? Has anyone else experienced difficulties with sudo commands? Group membership not listing all the groups a person is a member off all the time.id IPA Client. DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS" # dpkg --list | grep freeipa ii freeipa-client 4.3.1-0ubuntu1 amd64 FreeIPA centralized identity framework -- client ii freeipa-common 4.3.1-0ubuntu1 all FreeIPA centralized identity framework -- common files IPA Server # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo) # rpm -qa | grep "ipa-" sssd-ipa-1.15.2-50.el7_4.6.x86_64 ipa-common-4.5.0-21.el7_4.2.2.noarch ipa-server-4.5.0-21.el7_4.2.2.x86_64 ipa-client-common-4.5.0-21.el7_4.2.2.noarch ipa-client-4.5.0-21.el7_4.2.2.x86_64 ipa-server-common-4.5.0-21.el7_4.2.2.noarch ipa-server-trust-ad-4.5.0-21.el7_4.2.2.x86_64 RegardsTony D ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] ERR - ipa-topology-plugin - ipa_topo_util_get_replica_conf: server configuration missing
Hello,I'm reinstalling a replica FreeIPA server in a CA-less environment. I'm looked online and found: https://www.redhat.com/archives/freeipa-users/2016-December/msg00391.html which is similar (or exactly the problem), but theres no solid resolution. I recopied /etc/ipa/ca.crt to the new server from an existing ipa server. [root@cro-lv-ipa-01 log]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 [root@cro-lv-ipa-01 log]# cat /etc/centos-release CentOS Linux release 7.4.1708 (Core) Not sure what to do. Really appreciate any help. Many thanksJames Below is a snip from log files:Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:34.546670082 +] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica dc=int,dc=DOMAIN,dc=com is going offline; disabling replication Dec 14 15:34:34 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:34.756581200 +] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 1 Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 2 Dec 14 15:34:35 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI server step 3 Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.608407982 +] - INFO - import_monitor_threads - import userRoot: Workers finished; cleaning up... Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.845823301 +] - INFO - import_monitor_threads - import userRoot: Workers cleaned up. Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.862303717 +] - INFO - import_main_offline - import userRoot: Indexing complete. Post-processing... Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.879128392 +] - INFO - import_main_offline - import userRoot: Generating numsubordinates (this may take several minutes to complete)... Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.926416316 +] - INFO - import_main_offline - import userRoot: Generating numSubordinates complete. Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.937805159 +] - INFO - ldbm_get_nonleaf_ids - import userRoot: Gathering ancestorid non-leaf IDs... Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.954558879 +] - INFO - ldbm_get_nonleaf_ids - import userRoot: Finished gathering ancestorid non-leaf IDs. Dec 14 15:34:37 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:37.988095437 +] - INFO - ldbm_ancestorid_new_idl_create_index - import userRoot: Creating ancestorid index (new idl)... Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:38.037871941 +] - INFO - ldbm_ancestorid_new_idl_create_index - import userRoot: Created ancestorid index (new idl). Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:38.054977988 +] - INFO - import_main_offline - import userRoot: Flushing caches... Dec 14 15:34:38 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:38.071740106 +] - INFO - import_main_offline - import userRoot: Closing files... Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.087512816 +] - INFO - import_main_offline - import userRoot: Import complete. Processed 2258 entries in 5 seconds. (451.60 entries/sec) Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.108388854 +] - ERR - ipa-topology-plugin - ipa_topo_be_state_change - backend userRoot is coming online; checking domain level and init shared topology Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.144415357 +] - NOTICE - NSMMReplicationPlugin - multimaster_be_state_change - Replica dc=int,dc=DOMAIN,dc=com is coming online; enabling replication Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1 Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.194223235 +] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=int,dc=DOMAIN,dc=com--no CoS Templates found, which should be added before the CoS Definition. Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1 Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1 Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: GSSAPI client step 1 Dec 14 15:34:39 cro-lv-ipa-01.int.DOMAIN.com ns-slapd[19065]: [14/Dec/2017:15:34:39.216305850 +] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=int,dc=DOMAIN,dc=com does not exist Dec 14
[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection
UPDATE: The principle info wrong. I did this and the error hasnt shown up since: [root@ipa-02 ~]# ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p host/ipa-02 --retrieve Keytab successfully retrieved and stored in: /etc/krb5.keytab Thanks for all your help. On Monday, 4 December 2017, 09:53:55 GMT, Sumit Bose via FreeIPA-userswrote: On Mon, Dec 04, 2017 at 09:37:41AM +, James Harrison wrote: > I ran the ipa-getkeytab command you suggested below: > This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" > user. I got the same result with the admin user. > > > ~] IPA-02 # kinit IPAUSER Password for x_ipau...@int.example.com: > > ~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p > IPAUSER --retrieve > Failed to parse result: Insufficient access rights The keytab content should be protected like a clear text password, hence not even IPA admin users have access by default and I would recommend to only use the --retrieve option of ipa-getkeytab if it is really needed, i.e. that the keys really have to be used at two different places and there is no other secure way to copy the keytab content. If you just want to get /etc/krb5.keytab up-to-date, just do not use the --retrieve option. If you still want to use --retrieve, you can find the details about setting the permissions e.g. at https://www.freeipa.org/page/V4/Keytab_Retrieval_Management. HTH bye, Sumit > > Failed to get keytab > > > Many thanks > > On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users > wrote: > > On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users >wrote: > > Hello the list, > > > > > > > > I've seen this issue on the list several times, but I've not yet seen a > > solution posted., We're having this issue on one of our SLES 12 SP2 hosts > > (we have other SLES hosts are fine), were seeing this error when users try > > and login, they just keep getting the Password: prompt and are unable to log > > in with FreeIPA accounts. Local accounts are fine. Hostnames have been > > changed to protect the innocent. > > > > > > > > In this hosts /var/log/sssd/ldap_child.log > > > > <27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - > > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. > > > > <27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - > > Preauthentication failed > > > > <27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - > > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. > > > > <27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - > > Preauthentication failed > > > > > > > > On the FreeIPA server from /var/log/krb5kdc.log > > > > > > > > 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: > > host/sles01.example@example.org for krbtgt/example@example.org, > > Additional pre-authentication required > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd > > 11 > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth > > (encrypted_timestamp) verify failure: Preauthentication failed > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 > > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: > > host/sles01.example@example.org for krbtgt/example@example.org, > > Preauthentication failed > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd > > 11 > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 > > etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: > > host/sles01.example@example.org for krbtgt/example@example.org, > > Additional pre-authentication required > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd > > 11 > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth > > (encrypted_timestamp) verify failure: Preauthentication failed > > > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 > > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: > > host/sles01.example@example.org for krbtgt/example@example.org, > > Preauthentication failed > > > > > > > > On the host in question klist gives the following (note that kinit works, > > even if ssh login does not): > > > > > > > > sles01:~ # klist -kte > > > > Keytab name: FILE:/etc/krb5.keytab > > > > KVNO Timestamp Principal > > > > - > > > > > > 1 12/01/17 04:30:40 host/sles01.example@example.org > >
[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection
I ran the ipa-getkeytab command you suggested below: This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" user. I got the same result with the admin user. ~] IPA-02 # kinit IPAUSER Password for x_ipau...@int.example.com: ~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p IPAUSER --retrieve Failed to parse result: Insufficient access rights Failed to get keytab Many thanks On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-userswrote: On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > I've seen this issue on the list several times, but I've not yet seen a > solution posted., We're having this issue on one of our SLES 12 SP2 hosts > (we have other SLES hosts are fine), were seeing this error when users try > and login, they just keep getting the Password: prompt and are unable to log > in with FreeIPA accounts. Local accounts are fine. Hostnames have been > changed to protect the innocent. > > > > In this hosts /var/log/sssd/ldap_child.log > > <27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. > > <27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - > Preauthentication failed > > <27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. > > <27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - > Preauthentication failed > > > > On the FreeIPA server from /var/log/krb5kdc.log > > > > 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: > host/sles01.example@example.org for krbtgt/example@example.org, > Additional pre-authentication required > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd > 11 > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth > (encrypted_timestamp) verify failure: Preauthentication failed > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: > host/sles01.example@example.org for krbtgt/example@example.org, > Preauthentication failed > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd > 11 > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: > host/sles01.example@example.org for krbtgt/example@example.org, > Additional pre-authentication required > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd > 11 > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth > (encrypted_timestamp) verify failure: Preauthentication failed > > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: > host/sles01.example@example.org for krbtgt/example@example.org, > Preauthentication failed > > > > On the host in question klist gives the following (note that kinit works, > even if ssh login does not): > > > > sles01:~ # klist -kte > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Timestamp Principal > > - > > > 1 12/01/17 04:30:40 host/sles01.example@example.org > (aes256-cts-hmac-sha1-96) > > 1 12/01/17 04:30:40 host/sles01.example@example.org ^^^ > (aes128-cts-hmac-sha1-96) > > sles01:~ # kinit admin > > Password for ad...@example.org: > > kinit: Preauthentication failed while getting initial credentials > > sles01:~ # kinit admin > > Password for ad...@example.org: > > sles01:~ # kvno host/sles01.example@example.org > > host/sles01.example@example.org: kvno = 3 ^^^ The host keys stored in /etc/krb5.keytab got out of sync, the keytab still has KVNO 1 while the current one is already 3. Most probably someone called ipa-getkeytab without writing the result back to /etc/krb5.keytab. ipa-getkeytab be default will generate new keys, you have to use the option --retrieve to get the current keys. To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf option on sles01.example.org to update /etc/krb5.keytab. HTH bye, Sumit > > > > Also, I've compared NTP and there's only ~2.5ms offset between the two > hosts. > > > > Increasing the logging level of sssd to debug_level=9 which does not > generate more logs. > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe
[Freeipa-users] GSSAPI-encrypted LDAP connection
Hello,One one of our FreeIPA servers we are seeing the following messages from journal -f Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: host/ipa-01.int.domain@int.domain.com for krbtgt/int.domain@int.domain.com, Preauthentication failed Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11 Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: Preauthentication failed Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.3.5.88: NEEDED_PREAUTH: host/ipa-01.int.domain@int.domain.com for krbtgt/int.domain@int.domain.com, Additional pre-authentication required Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11 Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: host/ipa-01.int.domain@int.domain.com for krbtgt/int.domain@int.domain.com, Preauthentication failed Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): closing down fd 11 Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: Preauthentication failed [root@pul-lv-ipa-01 ~]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 I[root@pul-lv-ipa-01 log]# cat /etc/centos-release CentOS Linux release 7.4.1708 (Core) Many thanks for any help, Regards,James Harrison ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] FreeIPA server: Replication issues
Hello,I am using Centos to host our FreeIPA servers. We have a CA-less setup. I have upgraded to Centos 7.4 and FreeIPA version : VERSION: 4.5.0, API_VERSION: 2.228 The upgrade of both went off without any seen errors. However, now I am getting the following messages on each server (12 in total): "ERR - attrlist_replace - attr_replace (nsslapd-referral" messages Firstly, are these messages real problems I need to deal with?Secondly, if they are problems, how do I fix them? I have searched the internet and found lots of confusing mail threads, but no howto style document. Thanks for any help. Regards,James Harrison___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org