Hi, I have one IPA server dirsrv001 and newone dirsrv002
dirsrv001 is old server from where I want to unroll my VPS’s and join to new server. I do some testing with Ubuntu VPS’s and that works perfect.
I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I login over ssh but I can’t do sudo. Ask me for pass and than three times and that is. Sudo permission on IPA server is configured as well because works on other.
If I run on that Centos client command: kinit my_username
and when I enter pass everything is ok.
If I check syslog, I get this error:
[sssd[krb5_child[8541]]]: Key version is not available
I found that is problem with /etc/krb5.keytab file. But I tried to unroll client, move that file and join again, problem was same.
Please, does someone have some idea?
*—* *Petar Kozić*
Hi,
On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi, I have one IPA server dirsrv001 and newone dirsrv002
dirsrv001 is old server from where I want to unroll my VPS’s and join to new server. I do some testing with Ubuntu VPS’s and that works perfect.
I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I login over ssh but I can’t do sudo. Ask me for pass and than three times and that is. Sudo permission on IPA server is configured as well because works on other.
If I run on that Centos client command: kinit my_username
and when I enter pass everything is ok.
If I check syslog, I get this error:
[sssd[krb5_child[8541]]]: Key version is not available
I found that is problem with /etc/krb5.keytab file. But I tried to unroll client, move that file and join again, problem was same.
Please, does someone have some idea?
I would make sure all client caches were cleaned up, like: ~/.cache/ipa/
François
— Petar Kozić
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi, I have one IPA server dirsrv001 and newone dirsrv002
dirsrv001 is old server from where I want to unroll my VPS’s and join to
new server. I do some testing with Ubuntu VPS’s and that works perfect.
I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I
login over ssh but I can’t do sudo. Ask me for pass and than three times and that is.
Sudo permission on IPA server is configured as well because works on
other.
If I run on that Centos client command: kinit my_username
and when I enter pass everything is ok.
If I check syslog, I get this error:
[sssd[krb5_child[8541]]]: Key version is not available
I found that is problem with /etc/krb5.keytab file. But I tried to unroll
client, move that file and join again, problem was same.
Please, does someone have some idea?
I would make sure all client caches were cleaned up, like: ~/.cache/ipa/
François
There is no one .cache folder under ~/home/ I have several users which connect but no one don’t have that .cache
But this help me:
systemctl stop sssd
rm -rf /var/lib/sss/db/*
systemctl restart sssd
*—*
*Petar Kozić*
Hi,
On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi, I have one IPA server dirsrv001 and newone dirsrv002
dirsrv001 is old server from where I want to unroll my VPS’s and join to
new server. I do some testing with Ubuntu VPS’s and that works perfect.
I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I
login over ssh but I can’t do sudo. Ask me for pass and than three times and that is.
Sudo permission on IPA server is configured as well because works on
other.
If I run on that Centos client command: kinit my_username
and when I enter pass everything is ok.
If I check syslog, I get this error:
[sssd[krb5_child[8541]]]: Key version is not available
I found that is problem with /etc/krb5.keytab file. But I tried to unroll
client, move that file and join again, problem was same.
Please, does someone have some idea?
I would make sure all client caches were cleaned up, like: ~/.cache/ipa/
François
There is no one .cache folder under ~/home/ I have several users which connect but no one don’t have that .cache
On Fri, Jan 31, 2020 at 06:03:50AM -0800, Petar Kozić via FreeIPA-users wrote:
But this help me:
systemctl stop sssd
rm -rf /var/lib/sss/db/*
Hi,
when you say 'join client to dirsrv002' I guess you run a new and separate IPA domain/instance on 'dirsrv002'. If you used the same domain and realm name for both instance most probably your old but still valid Kerberos ccache /var/lib/sss/db/ccache_IPA.REALM was still in this directory and SSSD tried to authenticate to the new domain with the credentials from the old.
bye, Sumit
systemctl restart sssd
*—*
*Petar Kozić*
Hi,
On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi, I have one IPA server dirsrv001 and newone dirsrv002
dirsrv001 is old server from where I want to unroll my VPS’s and join to
new server. I do some testing with Ubuntu VPS’s and that works perfect.
I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I
login over ssh but I can’t do sudo. Ask me for pass and than three times and that is.
Sudo permission on IPA server is configured as well because works on
other.
If I run on that Centos client command: kinit my_username
and when I enter pass everything is ok.
If I check syslog, I get this error:
[sssd[krb5_child[8541]]]: Key version is not available
I found that is problem with /etc/krb5.keytab file. But I tried to unroll
client, move that file and join again, problem was same.
Please, does someone have some idea?
I would make sure all client caches were cleaned up, like: ~/.cache/ipa/
François
There is no one .cache folder under ~/home/ I have several users which connect but no one don’t have that .cache
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Yes, you are right, I bring up on same domain and realm. Thanks for informing me.
On Fri, Jan 31, 2020, 17:22 Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jan 31, 2020 at 06:03:50AM -0800, Petar Kozić via FreeIPA-users wrote:
But this help me:
systemctl stop sssd
rm -rf /var/lib/sss/db/*
Hi,
when you say 'join client to dirsrv002' I guess you run a new and separate IPA domain/instance on 'dirsrv002'. If you used the same domain and realm name for both instance most probably your old but still valid Kerberos ccache /var/lib/sss/db/ccache_IPA.REALM was still in this directory and SSSD tried to authenticate to the new domain with the credentials from the old.
bye, Sumit
systemctl restart sssd
*—*
*Petar Kozić*
Hi,
On Fri, Jan 31, 2020 at 2:48 PM Petar Kozić via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi, I have one IPA server dirsrv001 and newone dirsrv002
dirsrv001 is old server from where I want to unroll my VPS’s and join
to
new server. I do some testing with Ubuntu VPS’s and that works perfect.
I have problem with one Centos 7 server. I join client to dirsrv002 without problems but when I want to login I
login over ssh but I can’t do sudo. Ask me for pass and than three times and that is.
Sudo permission on IPA server is configured as well because works on
other.
If I run on that Centos client command: kinit my_username
and when I enter pass everything is ok.
If I check syslog, I get this error:
[sssd[krb5_child[8541]]]: Key version is not available
I found that is problem with /etc/krb5.keytab file. But I tried to
unroll
client, move that file and join again, problem was same.
Please, does someone have some idea?
I would make sure all client caches were cleaned up, like: ~/.cache/ipa/
François
There is no one .cache folder under ~/home/ I have several users which connect but no one don’t have that .cache
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org