Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
B.4. Logging In and Authentication Problems
B.4.1. Kerberos GSS Failures When Running ipa Commands
Copiar enlaceEnlace copiado en el portapapeles!
Immediately after installing a server, Kerberos errors occur when attempting to run an
ipa command. For example:
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Decrypt integrity check failed', -1765328353)
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Decrypt integrity check failed', -1765328353)What this means:
DNS is not properly configured.
To fix the problem:
Verify your DNS configuration.
- See Section 2.1.5, “Host Name and DNS Configuration” for DNS requirements for IdM servers.
- See DNS and Realm Settings in the Windows Integration Guide for DNS requirements for Active Directory trust.
B.4.2. SSH Connection Fails when Using GSS-API
Copiar enlaceEnlace copiado en el portapapeles!
Users are unable to log in to IdM machines using SSH.
What this means:
When SSH attempts to connect to an IdM resource using GSS-API as the security method, GSS-API first verifies the DNS records. SSH failures are often caused by incorrect reverse DNS entries. The incorrect records prevent SSH from locating the IdM resource.
To fix the problem:
Verify your DNS configuration as described in Section 2.1.5, “Host Name and DNS Configuration”.
As a temporary workaround, you can also disable reverse DNS lookups in the SSH configuration. To do this, set the
GSSAPITrustDNS to no in the /etc/ssh/ssh_config file. Instead of using reverse DNS records, SSH will pass the given user name directly to GSS-API.
B.4.3. OTP Token Out of Sync
Copiar enlaceEnlace copiado en el portapapeles!
Authentication using OTP fails because the token is desynchronized.
To fix the problem:
Resynchronize the token. Any user can resynchronize their tokens regardless of the token type and whether or not the user has permission to modify the token settings.
- In the IdM web UI: Click Sync OTP Token on the login page.
Figure B.1. Sync OTP Token
From the command line: Run the ipa otptoken-sync command. - Provide the information required to resynchronize the token. For example, IdM will ask you to provide your standard password and two subsequent token codes generated by the token.NoteResynchronization works even if the standard password is expired. After the token is resynchronized using an expired password, log in to IdM to let the system prompt you to change the password.
B.4.4. Smart Card Authentication Fails with Timeout Error Messages
Copiar enlaceEnlace copiado en el portapapeles!
The
sssd_pam.log and sssd_EXAMPLE.COM.log files contain timeout error messages, such as these:
What this means:
When using forwarded smart card readers or the Online Certificate Status Protocol (OCSP), you might need to adjust certain default values for users to be able to authenticate with smart cards.
To fix the problem:
On the server and on the client from which you want users to authenticate, make these changes in the
/etc/sssd/sssd.conf file:
- In the
[pam]section, increase thep11_child_timeoutvalue to 60 seconds. - In the
[domain/EXAMPLE.COM]section, increase thekrb5_auth_timeoutvalue to 60 seconds. - If you are using OCSP in the certificate, make sure the OCSP server is reachable. If the OCSP server is not directly reachable, configure a proxy OCSP server by adding the following options to
/etc/sssd/sssd.conf:certificate_verification = ocsp_default_responder=http://ocsp.proxy.url, ocsp_default_responder_signing_cert=nickname
certificate_verification = ocsp_default_responder=http://ocsp.proxy.url, ocsp_default_responder_signing_cert=nicknameCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace nickname with the nickname of the OCSP signing certificate in the/etc/pki/nssdb/directory.For details on these options, see the sssd.conf(5) man page. - Restart SSSD:
systemctl restart sssd.service
# systemctl restart sssd.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}