How to reset Keytab for FreeIPA Server and Client

I followed the standard documentation to install FreeIPA server and client on hosts 'SRV' and 'CLT' respectively. I then added a user 'X' to FreeIPA using Web UI. Now when i try to SSH as X to CLT, i get a 'Permission denied, please try again.' error. I check '/var/log/messages' on the client, and saw this - '[sssd[krb5_child[3277]]]: Decrypt integrity check failed'.

I reset the password multiple times, but that didn't solve the problem. Then I came across these -

  • http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#badpass
  • https://groups.google.com/forum/#!topic/comp.protocols.kerberos/g-s76WeWyUU

Sounds like removing the '/etc/krb5.keytab' file from SRV and CLT and then recreating them will solve the problem.

  1. How should I go about doing this keytab reset?
  2. Should I first un-provision/remove CLT from FreeIPA inventory?

Solution 1:

Which SSH authentication method are you using? Are you typing in your password, or trying to use Kerberos ticket-based authentication (gssapi-with-mic or gssapi-keyex)?

The “decrypt integrity check failed” message could come from two sources. If you give it the wrong password (your password doesn’t match the keys for your principal in the KDC), you’d get that. You’d also get it if your password is fine, but the keytab on the server is out of date; this would happen with both ticket and password authentication (because with a password, the server obtains a ticket for its own host principal after doing kinit, to authenticate the KDC).

Sounds like removing the ’/etc/krb5.keytab’ file from SRV and CLT and then recreating them will solve the problem.

The keytab on the client is irrelevant; it’s not part of this scenario. The likely problem here is that the keytab on the server is out of sync with the KDC (the Kerberos authentication server, or "Key Distribution Center," which is part of FreeIPA). With Kerberos, all identities (or "principals") in the system have keys they share with the KDC. A user’s keys are generated from his password. The keys for a software service like sshd are randomly generated, and stored in a file called a keytab (for "key table") so the service can access them. This sounds like the keys for the SSH principal have been changed in the KDC, but the keytab hasn’t been updated to match. Your principal name is of the form user@REALM. The principal name for the SSH service is of the form host/hostname@REALM. Try:

$ ipa-getkeytab -s <FreeIPA server> -p host/<hostname>@REALM -k <keytab file>.

... to extract the current keys for the SSH service principal into a new keytab. You can use klist -ek <keytab> to view the contents of the old and new keytabs. If you have a key mismatch, it should show up as the keys for the same principal having different key version numbers (or “kvno”). You might see something like:

# look at the system keytab
$ sudo klist -ek
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)

# look at the new keytab
$ klist -ek <new keytab>
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)

Solution 2:

I also resolved this problem. because ccache contained a old key for the IPA server from the previous installation just need delete /var/lib/sss/db/ccache_* file

more detail in ticket: https://fedorahosted.org/sssd/ticket/2781