[Freeipa-users] freeIPA bug: Kerberos clients fails taking to IPA server after ipa-client-install
Stephen Gallagher
sgallagh at redhat.com
Tue May 1 12:02:13 UTC 2012
On Mon, 2012-04-30 at 14:51 -0700, David Copperfield wrote:
>
> Hi folks,
>
> During migration existing Kerberos/LDAP setup clients to IPA, after
> 'ipa-client-install' command is run and reports successful migration,
> we found that the client fails to talk with IPA server.
>
> The symptom is: in the /var/log/messages file at IPA client side, we
> can see the following entries:
>
> Apr 30 11:07:04 ldapclient02 sssd: Starting up
> Apr 30 11:07:05 ldapclient02 sssd[be[pegaclouds.com]]:
> Starting up
> Apr 30 11:07:06 ldapclient02 sssd[pam]: Starting up
> Apr 30 11:07:06 ldapclient02 sssd[nss]: Starting up
> Apr 30 11:07:06 ldapclient02 [sssd[ldap_child[2133]]]: Failed
> to initialize credentials using keytab [(null)]: Decrypt integrity
> check failed. Unable to create GSSAPI-encrypted LDAP connection.
>
> It is figured out that, instead of backup and
> overwrite /etc/krb5.keytab, ipa-client-install only appends the new
> generated host keytab entries to the same file /etc/krb5.keytab. Then
> when the original entries have a higher KVNO version than the newly
> generated siblings, the latter is shadowed and ignored.
>
>
> After manual removing the old entries from /etc/krb5.keytab with the
> tool ktutil (rkt, delent, wkt), the client immdiately connects to IPA
> server and problem goes away. It will be greatly appreciated if native
> ipa-rmkeytab can be extended to do the same job.
>
Actually, this was a bug in SSSD that has now been fixed in the RHEL 6.3
beta. It's related to https://bugzilla.redhat.com/show_bug.cgi?id=805281
Please give that a try and see if it resolves your issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120501/697576be/attachment.sig>
More information about the Freeipa-users
mailing list