Hello the list,
It looks like sssd's horrible logging messages were to blame. It looks like when the keytab was initially deployed the system time between the IPA server and the host were not quite in sync and the keytab was invalidated. I redeployed the host's keytab (which because SLES lacks the ipa-client tools, had to be done on the IPA server and delivered via SCP) and the problem was resolved.
Regards,
Aaron
From: Aaron Hicks [mailto:aaron.hicks@nesi.org.nz] Sent: Monday, 4 December 2017 2:51 PM To: 'Aaron Hicks via FreeIPA-users' freeipa-users@lists.fedorahosted.org Subject: Unable to create GSSAPI-encrypted LDAP connection
Hello the list,
I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG , Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG , Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG , Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG mailto:krbtgt/EXAMPLE.ORG@EXAMPLE.ORG , Preauthentication failed
On the host in question klist gives the following (note that kinit works, even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG mailto:admin@EXAMPLE.ORG :
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG mailto:admin@EXAMPLE.ORG :
sles01:~ # kvno host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG
host/sles01.example.org@EXAMPLE.ORG mailto:host/sles01.example.org@EXAMPLE.ORG : kvno = 3
Also, I've compared NTP and there's only ~2.5ms offset between the two hosts.
Increasing the logging level of sssd to debug_level=9 which does not generate more logs.
freeipa-users@lists.fedorahosted.org