[Freeipa-users] Unable to authenticate a client user against IPA

Tue Mar 8 22:10:38 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/08/2011 04:40 PM, Steven Jones wrote:
> On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> 8><------
>>>
>>>
>>> So how do I fault find? where do I start?
>>>
>>> ie Where do I start to look to determine why a user cannot login to a
>>> client via freeipa?
>>>
>>> How can I be more clear? because so far the replies have been not very
>>> productive.
>>>
>>> regards
>>>
>>>
>>
>> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart
>> sssd, and try your login again. Look
>> in/var/log/sssd/sssd_example.com.log for information on the login attempt.
>>
>> Your uid/gid will likely differ.
>>
>> # getent passwd admin
>> admin:*:264200000:264200000:Administrator:/home/admin:/bin/bash
>> # id admin
>> uid=264200000(admin) gid=264200000(admins) groups=264200000(admins)
>> # getent group admins
>> admins:*:264200000:admin
>> # finger admin
>> Login: admin                            Name: Administrator
>> Directory: /home/admin                  Shell: /bin/bash
>> Never logged in.
>> No mail.
>> No Plan.
> 
> (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]]
> [sss_krb5_verify_keytab_ex] (0): Principal
> [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab
> [default]
> (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
> Could not verify keytab
> (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
> (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
> (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
> fatal error initializing data providers
> (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
> initialize backend [14]
> (Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]]
> [sss_krb5_verify_keytab_ex] (0): Principal
> [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab
> [default]

Well, here's your problem. The SSSD isn't starting up successfully
because you don't have a host principal for this server in your
/etc/krb5.keytab file. This was probably a bug in the ipa-client-install.

What does
klist -k /etc/krb5.keytab
return to you?

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70
HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai
=R7BT
-----END PGP SIGNATURE-----