[Freeipa-users] freeIPA bug: Kerberos clients fails taking to IPA server after ipa-client-install

Rob Crittenden rcritten at redhat.com
Tue May 1 13:31:22 UTC 2012


David Copperfield wrote:
>
> Hi folks,
>
> During migration existing Kerberos/LDAP setup clients to IPA, after
> 'ipa-client-install' command is run and reports successful migration, we
> found that the client fails to talk with IPA server.
>
> The symptom is: in the /var/log/messages file at IPA client side, we can
> see the following entries:
>
> Apr 30 11:07:04 ldapclient02 sssd: Starting up
> Apr 30 11:07:05 ldapclient02 sssd[be[pegaclouds.com]]: Starting up
> Apr 30 11:07:06 ldapclient02 sssd[pam]: Starting up
> Apr 30 11:07:06 ldapclient02 sssd[nss]: Starting up
> Apr 30 11:07:06 ldapclient02 [sssd[ldap_child[2133]]]: Failed to
> initialize credentials using keytab [(null)]: Decrypt integrity check
> failed. Unable to create GSSAPI-encrypted LDAP connection.
>
> It is figured out that, instead of backup and overwrite
> /etc/krb5.keytab, ipa-client-install only appends the new generated host
> keytab entries to the same file /etc/krb5.keytab. Then when the original
> entries have a higher KVNO version than the newly generated siblings,
> the latter is shadowed and ignored.
>
> After manual removing the old entries from /etc/krb5.keytab with the
> tool ktutil (rkt, delent, wkt), the client immdiately connects to IPA
> server and problem goes away. It will be greatly appreciated if native
> ipa-rmkeytab can be extended to do the same job.

ipa-rmkeytab doesn't need to be extended to do this, we would just want 
to run it prior to ipa-getkeytab in the installer. There is an option to 
remove all tickets for a given realm, that seems to be the best fit 
here. I opened a ticket to track this, 
https://fedorahosted.org/freeipa/ticket/2698

rob




More information about the Freeipa-users mailing list