On Tue, Jun 02, 2015 at 05:12:17PM -0600, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/02/2015 01:20 AM, Jakub Hrozek wrote:
On Mon, Jun 01, 2015 at 11:11:51AM -0600, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This may or may not be related to FreeIPA, but it definitely is related to SSSD, so I reckoned I would start here.
I have two FreeIPA servers, after a password change for my account, one FreeIPA server works with the new password, and the other only works with the old password.
However, kinit works fine on both, and if I understand all the moving parts correctly a kinit is going to go against the KDC on the respective IPA server, which backs into LDAP, yadda yadda, in short my password IS changed on both, it is not a sync issue (I believe), but SSSD is flunking out.
Now I have run a debug session for SSSD and I THINK the following is the relevant part:
(Mon May 18 18:57:52 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Exe cuting sasl bind mech: GSSAPI, user: host/ipa2.example.com (Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (49)[Invalid credentials]
I think this just means the keytab is wrong, can you kinit with the keytab (kinit -k) ?
Yep, works without issue.
Interesting, can you then compare: KRB5_TRACE=/dev/stderr kinit -k with debug_level=10 logs you'll find in ldap_child.log ?
Mainly, are the same servers used?