Discussion:
[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Sean Hogan
2016-11-16 02:24:38 UTC
Permalink
Hello,


I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.


RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64

RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64


The RHEL 7 client shows this in messages

Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.

I am also not seeing host certs for them on the ipa server but I do see
them on the local box.

[***@server1 pam.d]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 host/***@IPA.LOCAL
2 1 host/***@IPA.LOCAL
3 1 host/***@IPA.LOCAL
4 1 host/***@IPA.LOCAL
ktutil:


I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though) and I compared and IPA ID login with a box not
working
Work
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed'

vs

Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'

Its almost as if the pam files are not being read?



Sean Hogan
Jakub Hrozek
2016-11-16 09:22:07 UTC
Permalink
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?

Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though) and I compared and IPA ID login with a box not
working
Work
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sean Hogan
2016-11-16 16:14:20 UTC
Permalink
Hi Jakub,

Thanks... here is output


klist -ke
[***@server1 rusers]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/***@IPA.LOCAL (aes256-cts-hmac-sha1-96)
1 host/***@IPA.LOCAL (aes128-cts-hmac-sha1-96)
1 host/***@IPA.LOCAL (des3-cbc-sha1)
1 host/***@IPA.LOCAL (arcfour-hmac)



kinit -k odd though as kinit -k seems to fail but kinit with admin seems
to work indicating I can hit the KDC even though kinit -k says I cannot?

[***@server1 pam.d]# kinit -k server1
kinit: Keytab contains no suitable keys for ***@IPA.LOCAL while getting
initial credentials
[***@server1 pam.d]# kinit -k server1.IPA.LOCAL
kinit: Keytab contains no suitable keys for ***@IPA.LOCAL
while getting initial credentials
[***@server1 pam.d]# kinit admin
Password for ***@ipa.local:
[***@server1 pam.d]#
[***@server1 pam.d]# klist
Ticket cache: KEYRING:persistent:1111111111:1111111111
Default principal: ***@IPA.LOCAL

Valid starting Expires Service principal
11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/***@IPA.LOCAL

[***@server1 pam.d]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 host/***@IPA.LOCAL
2 1 host/***@IPA.LOCAL
3 1 host/***@IPA.LOCAL
4 1 host/***@IPA.LOCAL



Added debug_level = 10 on the domain section of sssd.conf and restarted is
all I see
[***@server1 sssd]# cat ldap_child.log
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type




Additonal:

[***@server1 rusers]# systemctl -l status sssd.service
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
„€journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
†€3042 /usr/sbin/sssd -D -f
†€3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0
--gid 0 --debug-to-files
†€3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
--debug-to-files
†€3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files
†€3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
--debug-to-files
†€3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
--debug-to-files
„€3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
--debug-to-files

Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
integrity check failed. Unable to create GSSAPI-encrypted LDAP connection.
[***@server1 rusers]#

Seeing this in /var/log/sssd/sssd_ipa.local.log

(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could not
initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab [default]:
Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!

This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over 2k
servers showing the UID name/GID name with no issues.. just the boxes
having this issue.



Sean Hogan









From: Jakub Hrozek <***@redhat.com>
To: freeipa-***@redhat.com
Date: 11/16/2016 02:29 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?

Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though) and I compared and IPA ID login with a box not
working
NOT Work
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
Post by Sean Hogan
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Martin Babinsky
2016-11-16 16:32:58 UTC
Permalink
Post by Sean Hogan
Hi Jakub,
Thanks... here is output
*klist -ke*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*
getting initial credentials
while getting initial credentials
You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local
Post by Sean Hogan
Ticket cache: KEYRING:persistent:1111111111:1111111111
Valid starting Expires Service principal
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
*Additonal:*
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
├─3042 /usr/sbin/sssd -D -f
├─3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
--debug-to-files
├─3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
├─3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
├─3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
├─3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
└─3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
connection.
Seeing this in /var/log/sssd/sssd_ipa.local.log
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
not initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab
[default]: Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over
2k servers showing the UID name/GID name with no issues.. just the boxes
having this issue.
Sean Hogan
Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On
Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek
---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700,
Sean Hogan wrote: >
Date: 11/16/2016 02:29 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
Post by Sean Hogan
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?
Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though) and I compared and IPA ID login with a box not
working
*NOT Work*
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.or
Sean Hogan
2016-11-16 16:56:59 UTC
Permalink
Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not
seem to be working if I have it right.. kinit -kt is more promising but
still fails


Klists

[***@server1 read]# klist -e
Ticket cache: KEYRING:persistent:111111111:11111111111
Default principal: ***@ipa.local

Valid starting Expires Service principal
11/16/2016 10:44:02 11/17/2016 10:43:54 krbtgt/***@IPA.LOCAL
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96


[***@server1 read]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/***@IPA.LOCAL (aes256-cts-hmac-sha1-96)
1 host/***@IPA.LOCAL (aes128-cts-hmac-sha1-96)
1 host/***@IPA.LOCAL (des3-cbc-sha1)
1 host/***@IPA.LOCAL (arcfour-hmac)



Kinits

[***@server1 read]# kinit -k /etc/krb5.keytab host/server1.ipa.local
Extra arguments (starting with "host/server1.ipa.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C]
[-E]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X <attribute>[=<value>]] [principal]

options: -V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X <attribute>[=<value>]

[***@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting initial
credentials
[***@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
kinit: Program lacks support for encryption type while getting initial
credentials


Sean Hogan










From: Martin Babinsky <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS, Jakub Hrozek <***@redhat.com>
Cc: freeipa-***@redhat.com
Date: 11/16/2016 09:33 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Post by Sean Hogan
Hi Jakub,
Thanks... here is output
*klist -ke*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
Post by Sean Hogan
*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*
getting initial credentials
while getting initial credentials
You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local
Post by Sean Hogan
Ticket cache: KEYRING:persistent:1111111111:1111111111
Valid starting Expires Service principal
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
*Additonal:*
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
„€journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Post by Sean Hogan
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
†€3042 /usr/sbin/sssd -D -f
†€3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
--debug-to-files
†€3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
†€3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
†€3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
†€3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
„€3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
connection.
Seeing this in /var/log/sssd/sssd_ipa.local.log
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
not initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab
[default]: Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over
2k servers showing the UID name/GID name with no issues.. just the boxes
having this issue.
Sean Hogan
Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On
Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek
---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700,
Sean Hogan wrote: >
Date: 11/16/2016 02:29 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
Post by Sean Hogan
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?
Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though) and I compared and IPA ID login with a box not
working
*NOT Work*
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:authentication grantors=? acct="janedoe"
exe="/usr/sbin/sshd"
Post by Sean Hogan
Post by Sean Hogan
hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
Post by Sean Hogan
Post by Sean Hogan
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin^3 Babinsky
Martin Babinsky
2016-11-16 17:54:24 UTC
Permalink
Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not
seem to be working if I have it right.. kinit -kt is more promising but
still fails
*Klists*
Ticket cache: KEYRING:persistent:111111111:11111111111
Valid starting Expires Service principal
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
*Kinits *
Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local'
Extra arguments (starting with "host/server1.ipa.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C]
[-E]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X <attribute>[=<value>]] [principal]
options: -V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X <attribute>[=<value>]
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan
Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On
11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky
---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: >
Hi Jakub,
Date: 11/16/2016 09:33 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hi Jakub,
Thanks... here is output
*klist -ke*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*
getting initial credentials
while getting initial credentials
You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local
Post by Sean Hogan
Ticket cache: KEYRING:persistent:1111111111:1111111111
Valid starting Expires Service principal
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
*Additonal:*
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Post by Sean Hogan
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
├─3042 /usr/sbin/sssd -D -f
├─3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
--debug-to-files
├─3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
├─3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
├─3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
├─3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
└─3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
connection.
Seeing this in /var/log/sssd/sssd_ipa.local.log
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
not initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab
[default]: Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over
2k servers showing the UID name/GID name with no issues.. just the boxes
having this issue.
Sean Hogan
Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On
Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek
---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700,
Sean Hogan wrote: >
Date: 11/16/2016 02:29 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
Post by Sean Hogan
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?
Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing
host
Post by Sean Hogan
Post by Sean Hogan
certs in IPA though) and I compared and IPA ID login with a box not
working
*NOT Work*
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
Post by Sean Hogan
Post by Sean Hogan
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin^3 Babinsky
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go t
Sean Hogan
2016-11-16 18:13:49 UTC
Permalink
Yes sir... I added the kinit kts in the previous thinking it was needed.
Post by Sean Hogan
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan









From: Martin Babinsky <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS
Cc: freeipa-***@redhat.com, Jakub Hrozek <***@redhat.com>
Date: 11/16/2016 10:54 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Post by Sean Hogan
Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not
seem to be working if I have it right.. kinit -kt is more promising but
still fails
*Klists*
Ticket cache: KEYRING:persistent:111111111:11111111111
Valid starting Expires Service principal
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
Post by Sean Hogan
*Kinits *
Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local'
Post by Sean Hogan
Extra arguments (starting with "host/server1.ipa.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C]
[-E]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X <attribute>[=<value>]] [principal]
options: -V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X <attribute>[=<value>]
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan
Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On
11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky
---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: >
Hi Jakub,
Date: 11/16/2016 09:33 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hi Jakub,
Thanks... here is output
*klist -ke*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
Post by Sean Hogan
Post by Sean Hogan
*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*
getting initial credentials
while getting initial credentials
You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local
Post by Sean Hogan
Ticket cache: KEYRING:persistent:1111111111:1111111111
Valid starting Expires Service principal
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
*Additonal:*
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
„€journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Post by Sean Hogan
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
†€3042 /usr/sbin/sssd -D -f
†€3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
--debug-to-files
†€3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
†€3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
†€3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
†€3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
„€3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
connection.
Seeing this in /var/log/sssd/sssd_ipa.local.log
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
not initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab
[default]: Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over
2k servers showing the UID name/GID name with no issues.. just the boxes
having this issue.
Sean Hogan
Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On
Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek
---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700,
Sean Hogan wrote: >
Date: 11/16/2016 02:29 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
Post by Sean Hogan
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?
Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing
host
Post by Sean Hogan
Post by Sean Hogan
certs in IPA though) and I compared and IPA ID login with a box not
working
*NOT Work*
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:authentication grantors=? acct="janedoe"
exe="/usr/sbin/sshd"
Post by Sean Hogan
Post by Sean Hogan
Post by Sean Hogan
hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
Post by Sean Hogan
Post by Sean Hogan
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin^3 Babinsky
--
Martin^3 Babinsky
Sean Hogan
2016-11-16 19:36:19 UTC
Permalink
update..

I decided to unenroll the box and remove it from IPA totally. I
enrolled it again and the box is now working as expected. However I did
check if server1 now has a host certificate loaded in IPA and it does not.
I have not had to do anything extra in getting a host cert loaded into IPA
with the RHEL 6 boxes so is there a step I am not doing in getting a host
cert loaded into IPA from a rhel 7 client to a RHEL 6 server? I guess I
can do it manual but if I do that certmonger will not auto renew them
right?

[***@ipa1 ~]# ipa host-find server1
--------------
1 host matched
--------------
Host name: server1.ipa.local
Principal name: host/***@IPA.LOCAL
Password: False
Keytab: True
Managed by: server1.ipa.local
SSH public key fingerprint: 12:95:CC:REMOVED
(ssh-ed25519),
33:B9:74:26::REMOVED
(ssh-rsa),
52:F3:DD:REMOVED
(ecdsa-sha2-nistp256)


Where for a RHEL 6 box I see this


[***@ipa1 ~]# ipa host-find server2
--------------
1 host matched
--------------
Host name: server2.ipa.local
Certificate:
MIIDpjCCAo6gAwIBAgICANQwDQYJKoZIhvcNAQELBQAwNzEVMBMGA1UEChMMV0
REMOVED THE REST
Principal name: host/***@IPA.LOCAL
Password: False
Member of host-groups: bob
Indirect Member of HBAC rule: bob2, bob1
Keytab: True
Managed by: server2.ipa.local
Subject: CN=server2.ipa.local,O=IPA.LOCAL
Serial Number: 212
Serial Number (hex): 0xD4
Issuer: CN=Certificate Authority,O=IPA.LOCAL
Not Before: Tue Jul 26 20:48:58 2016 UTC
Not After: Fri Jul 27 20:48:58 2018 UTC
Fingerprint (MD5): 1f:b7:8f:REMOVED
Fingerprint (SHA1): d3:2f:f:REMOVED
SSH public key fingerprint: 1B:26:REMOVED
(ssh-dss),
2D:66:D7:REMOVED
(ssh-rsa)




Sean Hogan










From: Sean Hogan/Durham/***@IBMUS
To: Martin Babinsky <***@redhat.com>
Cc: freeipa-***@redhat.com
Date: 11/16/2016 11:31 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Sent by: freeipa-users-***@redhat.com



Yes sir... I added the kinit kts in the previous thinking it was needed.
Post by Sean Hogan
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan






Inactive hide details for Martin Babinsky ---11/16/2016 10:54:32 AM---On
11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listiMartin Babinsky
---11/16/2016 10:54:32 AM---On 11/16/2016 05:56 PM, Sean Hogan wrote: >
Sorry.. listing ouput of klist -e and klist -ke... but k

From: Martin Babinsky <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS
Cc: freeipa-***@redhat.com, Jakub Hrozek <***@redhat.com>
Date: 11/16/2016 10:54 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Post by Sean Hogan
Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not
seem to be working if I have it right.. kinit -kt is more promising but
still fails
*Klists*
Ticket cache: KEYRING:persistent:111111111:11111111111
Valid starting Expires Service principal
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
Post by Sean Hogan
*Kinits *
Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local'
Post by Sean Hogan
Extra arguments (starting with "host/server1.ipa.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C]
[-E]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X <attribute>[=<value>]] [principal]
options: -V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X <attribute>[=<value>]
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan
Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On
11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky
---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: >
Hi Jakub,
Date: 11/16/2016 09:33 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hi Jakub,
Thanks... here is output
*klist -ke*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
Post by Sean Hogan
Post by Sean Hogan
*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*
getting initial credentials
while getting initial credentials
You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local
Post by Sean Hogan
Ticket cache: KEYRING:persistent:1111111111:1111111111
Valid starting Expires Service principal
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
*Additonal:*
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
„€journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Post by Sean Hogan
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
†€3042 /usr/sbin/sssd -D -f
†€3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
--debug-to-files
†€3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
†€3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
†€3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
†€3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
„€3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
connection.
Seeing this in /var/log/sssd/sssd_ipa.local.log
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
not initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab
[default]: Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over
2k servers showing the UID name/GID name with no issues.. just the boxes
having this issue.
Sean Hogan
Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On
Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek
---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700,
Sean Hogan wrote: >
Date: 11/16/2016 02:29 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
Post by Sean Hogan
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?
Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing
host
Post by Sean Hogan
Post by Sean Hogan
certs in IPA though) and I compared and IPA ID login with a box not
working
*NOT Work*
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:authentication grantors=? acct="janedoe"
exe="/usr/sbin/sshd"
Post by Sean Hogan
Post by Sean Hogan
Post by Sean Hogan
hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
Post by Sean Hogan
Post by Sean Hogan
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin^3 Babinsky
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2016-11-16 20:54:38 UTC
Permalink
Post by Sean Hogan
update..
I decided to unenroll the box and remove it from IPA totally. I enrolled
it again and the box is now working as expected. However I did check if
server1 now has a host certificate loaded in IPA and it does not.
I have not had to do anything extra in getting a host cert loaded into
IPA with the RHEL 6 boxes so is there a step I am not doing in getting a
host cert loaded into IPA from a rhel 7 client to a RHEL 6 server? I
guess I can do it manual but if I do that certmonger will not auto renew
them right?
In IPA 4.something ipa-client-install dropped getting a host certificate
by default. There is an option, --request-cert, if you want to continue
that behavior.

Getting a server cert for the host was intended to be future-proofing
and a convenience but we never used it for anything and never got any
reports that anyone else had either (except to notice it isn't there
anymore).

So yeah, you can either un-enroll and re-enroll with the option or
manually request one using ipa-getcert and it will be renewed
automatically in both cases.

rob
Post by Sean Hogan
--------------
1 host matched
--------------
Host name: server1.ipa.local
Password: False
Keytab: True
Managed by: server1.ipa.local
SSH public key fingerprint: 12:95:CC:*REMOVED*
(ssh-ed25519),
33:B9:74:26::*REMOVED*
(ssh-rsa),
52:F3:DD:*REMOVED*
(ecdsa-sha2-nistp256)
Where for a RHEL 6 box I see this
--------------
1 host matched
--------------
Host name: server2.ipa.local
Certificate: MIIDpjCCAo6gAwIBAgICANQwDQYJKoZIhvcNAQELBQAwNzEVMBMGA1UEChMMV0
*REMOVED THE REST*
Password: False
Member of host-groups: bob
Indirect Member of HBAC rule: bob2, bob1
Keytab: True
Managed by: server2.ipa.local
Subject: CN=server2.ipa.local,O=IPA.LOCAL
Serial Number: 212
Serial Number (hex): 0xD4
Issuer: CN=Certificate Authority,O=IPA.LOCAL
Not Before: Tue Jul 26 20:48:58 2016 UTC
Not After: Fri Jul 27 20:48:58 2018 UTC
Fingerprint (MD5): 1f:b7:8f:*REMOVED*
Fingerprint (SHA1): d3:2f:f:*REMOVED*
SSH public key fingerprint: 1B:26:*REMOVED *
(ssh-dss),
2D:66:D7:*REMOVED*
(ssh-rsa)
Sean Hogan
Inactive hide details for Sean Hogan---11/16/2016 11:31:33 AM---Yes
sir... I added the kinit kts in the previous thinking it waSean
Hogan---11/16/2016 11:31:33 AM---Yes sir... I added the kinit kts in the
Date: 11/16/2016 11:31 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Yes sir... I added the kinit kts in the previous thinking it was needed.
Post by Sean Hogan
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan
Inactive hide details for Martin Babinsky ---11/16/2016 10:54:32 AM---On
11/16/2016 05:56 PM, Sean Hogan wrote: > Sorry.. listiMartin Babinsky
---11/16/2016 10:54:32 AM---On 11/16/2016 05:56 PM, Sean Hogan wrote: >
Sorry.. listing ouput of klist -e and klist -ke... but k
Date: 11/16/2016 10:54 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Sorry.. listing ouput of klist -e and klist -ke... but kinit -k does not
seem to be working if I have it right.. kinit -kt is more promising but
still fails
*Klists*
Ticket cache: KEYRING:persistent:111111111:11111111111
Valid starting Expires Service principal
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
*Kinits *
Sorry it should read 'kinit -kt /etc/krb5.keytab host/server1.ipa.local'
Post by Sean Hogan
Extra arguments (starting with "host/server1.ipa.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F] [-p | -P] -n [-a | -A] [-C]
[-E]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X <attribute>[=<value>]] [principal]
options: -V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X <attribute>[=<value>]
kinit: Cannot contact any KDC for realm 'IPA.LOCAL' while getting
initial credentials
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan
Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On
11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky
---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: >
Hi Jakub,
Date: 11/16/2016 09:33 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hi Jakub,
Thanks... here is output
*klist -ke*
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
Post by Sean Hogan
Post by Sean Hogan
*kinit -k odd though as kinit -k seems to fail but kinit with admin
seems to work indicating I can hit the KDC even though kinit -k says I
cannot?*
getting initial credentials
while getting initial credentials
You need to specify full principal name as printed from klist command,
i.e. kinit -k /etc/krb5.keytab host/server1.ipa.local
Post by Sean Hogan
Ticket cache: KEYRING:persistent:1111111111:1111111111
Valid starting Expires Service principal
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
*Added debug_level = 10 on the domain section of sssd.conf and restarted
is all I see*
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18951]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:50 2016) [[sssd[ldap_child[18954]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18956]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:57:56 2016) [[sssd[ldap_child[18957]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:58:02 2016) [[sssd[ldap_child[18958]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
(Wed Nov 16 10:59:26 2016) [[sssd[ldap_child[18977]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Program
lacks support for encryption type
*Additonal:*
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Wed 2016-11-16 10:30:43 EST; 17s ago
Process: 3041 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Post by Sean Hogan
Main PID: 3042 (sssd)
CGroup: /system.slice/sssd.service
├─3042 /usr/sbin/sssd -D -f
├─3043 /usr/libexec/sssd/sssd_be --domain ipa.local --uid 0 --gid 0
--debug-to-files
├─3044 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
├─3045 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
├─3046 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
├─3047 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
└─3048 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
Nov 16 10:30:43 server1.ipa.local sssd[3042]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[be[ipa.local]][3043]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[sudo][3045]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pam][3046]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[nss][3044]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[ssh][3047]: Starting up
Nov 16 10:30:43 server1.ipa.local sssd[pac][3048]: Starting up
Nov 16 10:30:43 server1.ipa.local systemd[1]: Started System Security
Services Daemon.
Nov 16 10:30:55 server1.ipa.local [sssd[ldap_child[3055]]][3055]: Failed
Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP
connection.
Seeing this in /var/log/sssd/sssd_ipa.local.log
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [main] (0x0010): Could
not initialize backend [14]
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]]
[select_principal_from_keytab] (0x0010): Failed to read keytab
[default]: Bad address
(Tue Nov 15 20:04:39 2016) [sssd[be[ipa.local]]] [load_backend_module]
(0x0010): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
This is also strange but might be side effect I assume.. we mount NFS v4
home dir with automount for central homes and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over
2k servers showing the UID name/GID name with no issues.. just the boxes
having this issue.
Sean Hogan
Inactive hide details for Jakub Hrozek ---11/16/2016 02:29:52 AM---On
Tue, Nov 15, 2016 at 07:24:38PM -0700, Sean Hogan wrote: Jakub Hrozek
---11/16/2016 02:29:52 AM---On Tue, Nov 15, 2016 at 07:24:38PM -0700,
Sean Hogan wrote: >
Date: 11/16/2016 02:29 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hello,
I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.
RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64
RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64
The RHEL 7 client shows this in messages
Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Could you post a more verbose ldap_child log (debug_level=10 includes
KRB5_TRACE-level messages) so that we see what kind of crypto was used?
Post by Sean Hogan
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
Post by Sean Hogan
failed. Unable to create GSSAPI-encrypted LDAP connection.
I am also not seeing host certs for them on the ipa server but I do see
them on the local box.
Can you run klist -ke as well to see what encryption types are included
in the keytab?
Is it possible to run "kinit -k" on the client?
Post by Sean Hogan
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
I have one RHEL 7 box with no issues as it was just enrolled (missing
host
Post by Sean Hogan
Post by Sean Hogan
certs in IPA though) and I compared and IPA ID login with a box not
working
*NOT Work*
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:authentication grantors=? acct="janedoe"
exe="/usr/sbin/sshd"
Post by Sean Hogan
Post by Sean Hogan
Post by Sean Hogan
hostname=10.10.10.10 addr=10.10.10.9 terminal=ssh res=failed'
vs
Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
Post by Sean Hogan
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit
acct="janedoe"
Post by Sean Hogan
Post by Sean Hogan
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
_https://www.redhat.com/mailman/listinfo/freeipa-users_
Go to _http://freeipa.org_ <http://freeipa.org/> for more info on
the project
Post by Sean Hogan
Post by Sean Hogan
--
_https://www.redhat.com/mailman/listinfo/freeipa-users_
Go to _http://freeipa.org_ <http://freeipa.org/> for more info on the
project
Post by Sean Hogan
--
Martin^3 Babinsky
--
Martin^3 Babinsky
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the
Jakub Hrozek
2016-11-16 21:37:55 UTC
Permalink
Post by Sean Hogan
kinit: Program lacks support for encryption type while getting initial
credentials
OK, now there's at least the same error from kinit as sssd is
generating. Can you runs this command prepended with
KRB5_TRACE=/dev/stderr and perhaps also check the KDC logs for the same
time?

But frankly I don't know offhand what enctypes are supported by the
RHEL-6 server's KDC..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sean Hogan
2016-11-16 22:34:07 UTC
Permalink
Hi Jakub,

I ended up re-enrolling the box and it is behaving as expected except I
am not getting a host cert. Robert indicated auto host cert no longer
avail with rhel 7 but using the --request -cert option on enroll to get a
host cert if I wanted one. I did so and get this in the install log


2016-11-16T22:00:53Z DEBUG Starting external process
2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
'certmonger.service'
2016-11-16T22:00:53Z DEBUG Process finished, return code=0
2016-11-16T22:00:53Z DEBUG stdout=active

2016-11-16T22:00:53Z DEBUG stderr=
2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed


Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) IPA
server?

As for crypto on RHEL 6 IPA I have (if this is what you looking for).
However this is modified version as it took me a while to get this list to
pass tenable scans by modding the dse files.
[***@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-16 17:25 EST
Nmap scan report for ipa1.ipa.local
Host is up (0.000087s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (14)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_ uncompressed





Sean Hogan







From: Jakub Hrozek <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS
Cc: Martin Babinsky <***@redhat.com>, freeipa-***@redhat.com
Date: 11/16/2016 02:38 PM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Post by Sean Hogan
kinit: Program lacks support for encryption type while getting initial
credentials
OK, now there's at least the same error from kinit as sssd is
generating. Can you runs this command prepended with
KRB5_TRACE=/dev/stderr and perhaps also check the KDC logs for the same
time?

But frankly I don't know offhand what enctypes are supported by the
RHEL-6 server's KDC..
Rob Crittenden
2016-11-17 14:59:43 UTC
Permalink
Post by Sean Hogan
Hi Jakub,
I ended up re-enrolling the box and it is behaving as expected except I
am not getting a host cert. Robert indicated auto host cert no longer
avail with rhel 7 but using the --request -cert option on enroll to get
a host cert if I wanted one. I did so and get this in the install log
*2016-11-16T22:00:53Z DEBUG Starting external process*
*2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
'certmonger.service'*
*2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
*2016-11-16T22:00:53Z DEBUG stdout=active*
*2016-11-16T22:00:53Z DEBUG stderr=*
*2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed*
Did you cut off the reason reported for the request failing?
Post by Sean Hogan
Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
IPA server?
You could look in the server logs for details.
Post by Sean Hogan
As for crypto on RHEL 6 IPA I have (if this is what you looking for).
However this is modified version as it took me a while to get this list
to pass tenable scans by modding the dse files.
These are the TLS settings for LDAP, not the Kerberos encryption types
supported. You instead want to run:

$ ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sean Hogan
2016-11-17 16:04:50 UTC
Permalink
Hi Robert,

No I did not cut it off ....there was no reason listed.. that was the last
line about the issue.

I did find this to be my issue however
https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat guys
see if they can pull the new selinux policy packages as I do not see them
avail right now for my boxes.

[***@server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent
----
type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received
setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root
hostname=? addr=? terminal=?'
----
type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK a2=0x4000
a3=0xfffffffffffff8e8 items=1 ppid=1 pid=2875 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write }
for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
----
type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write }
for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
scontext=system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

[***@server2 log]# rpm -qf /etc/ipa/nssdb
ipa-python-4.1.0-18.el7_1.4.x86_64



Encryption types.. thanks for the command.. good to know but hate seeing
the arcfour and des options as I know DISA will not like that.

[***@ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: krbSupportedEncSaltTypes
#

# IPA.LOCAL, kerberos, ipa.local
dn: cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:special
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: arcfour-hmac:special

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1




Sean Hogan





From: Rob Crittenden <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS, Jakub Hrozek <***@redhat.com>
Cc: freeipa-***@redhat.com, Martin Babinsky <***@redhat.com>
Date: 11/17/2016 07:59 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Post by Sean Hogan
Hi Jakub,
I ended up re-enrolling the box and it is behaving as expected except I
am not getting a host cert. Robert indicated auto host cert no longer
avail with rhel 7 but using the --request -cert option on enroll to get
a host cert if I wanted one. I did so and get this in the install log
*2016-11-16T22:00:53Z DEBUG Starting external process*
*2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
'certmonger.service'*
*2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
*2016-11-16T22:00:53Z DEBUG stdout=active*
*2016-11-16T22:00:53Z DEBUG stderr=*
*2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed*
Did you cut off the reason reported for the request failing?
Post by Sean Hogan
Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
IPA server?
You could look in the server logs for details.
Post by Sean Hogan
As for crypto on RHEL 6 IPA I have (if this is what you looking for).
However this is modified version as it took me a while to get this list
to pass tenable scans by modding the dse files.
These are the TLS settings for LDAP, not the Kerberos encryption types
supported. You instead want to run:

$ ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes

rob
Rob Crittenden
2016-11-17 16:13:57 UTC
Permalink
Post by Sean Hogan
Hi Robert,
No I did not cut it off ....there was no reason listed.. that was the
last line about the issue.
I did find this to be my issue however
https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat
guys see if they can pull the new selinux policy packages as I do not
see them avail right now for my boxes.
----
type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received
setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root
hostname=? addr=? terminal=?'
----
type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK
a2=0x4000 a3=0xfffffffffffff8e8 items=1 ppid=1 pid=2875 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write }
for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
----
type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write }
for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
scontext=system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
Good catch, that seems like the issue.
Post by Sean Hogan
ipa-python-4.1.0-18.el7_1.4.x86_64
IIRC it is just ghosted, all files should be owned by something.
Post by Sean Hogan
Encryption types.. thanks for the command.. good to know but hate seeing
the arcfour and des options as I know DISA will not like that.
No DES, Triple DES. You can always remove them if you want, just be
aware of interoperability.

rob
Post by Sean Hogan
cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
# extended LDIF
#
# LDAPv3
# base <cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: krbSupportedEncSaltTypes
#
# IPA.LOCAL, kerberos, ipa.local
dn: cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:special
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: arcfour-hmac:special
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Sean Hogan
Inactive hide details for Rob Crittenden ---11/17/2016 07:59:55
AM---Sean Hogan wrote: > Hi Jakub,Rob Crittenden ---11/17/2016 07:59:55
AM---Sean Hogan wrote: > Hi Jakub,
Date: 11/17/2016 07:59 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hi Jakub,
I ended up re-enrolling the box and it is behaving as expected except I
am not getting a host cert. Robert indicated auto host cert no longer
avail with rhel 7 but using the --request -cert option on enroll to get
a host cert if I wanted one. I did so and get this in the install log
*2016-11-16T22:00:53Z DEBUG Starting external process*
*2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
'certmonger.service'*
*2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
*2016-11-16T22:00:53Z DEBUG stdout=active*
*2016-11-16T22:00:53Z DEBUG stderr=*
*2016-11-16T22:00:53Z ERROR certmonger request for host certificate
failed*
Did you cut off the reason reported for the request failing?
Post by Sean Hogan
Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
IPA server?
You could look in the server logs for details.
Post by Sean Hogan
As for crypto on RHEL 6 IPA I have (if this is what you looking for).
However this is modified version as it took me a while to get this list
to pass tenable scans by modding the dse files.
These are the TLS settings for LDAP, not the Kerberos encryption types
$ ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sean Hogan
2016-11-17 20:19:44 UTC
Permalink
Hi Guys..

Sorry to bug ya again.. so looks like the selinux packages are not back
ported to 7.1 as I only have selinux-policy-3.13.1-23.el7_1.21.noarch as an
option

Setting the contexts manually to /etc/ipa/nssdb


Original
[***@server2 ipa]# ls -dZ nssdb
drwxr-xr-x. root root system_u:object_r:etc_t:s0 nssdb

Set to
[***@server2 ipa]# semanage fcontext -a -t cert_t "/etc/ipa/nssdb(/.*)?"
[***@server2 ~]# restorecon -FvvR /etc/ipa/nssdb/

Check for change
[***@server2 ~]# ls -dZ /etc/ipa/nssdb
drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/ipa/nssdb

I did this.. re-enrolled the box again but still no host cert showing in
IPA however I do get a result now from getcert list as seen below. The
install log still shows certmonger failed .. 2016-11-17T20:05:05Z ERROR
certmonger request for host certificate failed.




getcert list
Number of certificates and requests being tracked: 1.
Request ID '20161117153721':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS
Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA
host'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

Not seeing anymore selinux issues either

[***@server2 sudofix]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent
<no matches>



Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: ***@us.ibm.com | Tel 919 486 1397









From: Rob Crittenden <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS
Cc: freeipa-***@redhat.com, Jakub Hrozek <***@redhat.com>,
Martin Babinsky <***@redhat.com>
Date: 11/17/2016 09:14 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
Post by Sean Hogan
Hi Robert,
No I did not cut it off ....there was no reason listed.. that was the
last line about the issue.
I did find this to be my issue however
https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat
guys see if they can pull the new selinux policy packages as I do not
see them avail right now for my boxes.
----
type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received
setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root
hostname=? addr=? terminal=?'
----
type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK
a2=0x4000 a3=0xfffffffffffff8e8 items=1 ppid=1 pid=2875 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write }
for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
----
type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write }
for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
scontext=system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
Good catch, that seems like the issue.
Post by Sean Hogan
ipa-python-4.1.0-18.el7_1.4.x86_64
IIRC it is just ghosted, all files should be owned by something.
Post by Sean Hogan
Encryption types.. thanks for the command.. good to know but hate seeing
the arcfour and des options as I know DISA will not like that.
No DES, Triple DES. You can always remove them if you want, just be
aware of interoperability.

rob
Post by Sean Hogan
cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
# extended LDIF
#
# LDAPv3
# base <cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: krbSupportedEncSaltTypes
#
# IPA.LOCAL, kerberos, ipa.local
dn: cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:special
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: arcfour-hmac:special
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Sean Hogan
Inactive hide details for Rob Crittenden ---11/17/2016 07:59:55
AM---Sean Hogan wrote: > Hi Jakub,Rob Crittenden ---11/17/2016 07:59:55
AM---Sean Hogan wrote: > Hi Jakub,
Date: 11/17/2016 07:59 AM
Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
------------------------------------------------------------------------
Post by Sean Hogan
Hi Jakub,
I ended up re-enrolling the box and it is behaving as expected except I
am not getting a host cert. Robert indicated auto host cert no longer
avail with rhel 7 but using the --request -cert option on enroll to get
a host cert if I wanted one. I did so and get this in the install log
*2016-11-16T22:00:53Z DEBUG Starting external process*
*2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
'certmonger.service'*
*2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
*2016-11-16T22:00:53Z DEBUG stdout=active*
*2016-11-16T22:00:53Z DEBUG stderr=*
*2016-11-16T22:00:53Z ERROR certmonger request for host certificate
failed*
Did you cut off the reason reported for the request failing?
Post by Sean Hogan
Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
IPA server?
You could look in the server logs for details.
Post by Sean Hogan
As for crypto on RHEL 6 IPA I have (if this is what you looking for).
However this is modified version as it took me a while to get this list
to pass tenable scans by modding the dse files.
These are the TLS settings for LDAP, not the Kerberos encryption types
$ ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes
rob
Loading...