Hello, I have set up IPA on a private network and have hit some bumps configuring sudo access for the clients. kinit seems to work fine for both client and server, user and root. When I run sudo on the server I see the following in /var/log/messages: Oct 17 17:53:52 192-168-0-100 [sssd[krb5_child[29237]]]: Decrypt integrity check failed Oct 17 17:53:52 192-168-0-100 [sssd[krb5_child[29237]]]: Decrypt integrity check failed Thanks, Andrew ## I see the following in my clients /var/log/messages after starting sssd on the client. Oct 17 17:35:46 zabbix sssd: Starting up Oct 17 17:35:46 zabbix sssd[be[192-168-0-100.local]]: Starting up Oct 17 17:35:46 zabbix sssd[nss]: Starting up Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error processing keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was not found. Unable to create GSSAPI-encrypted LDAP connection. Oct 17 17:35:46 zabbix sssd[sudo]: Starting up Oct 17 17:35:46 zabbix sssd[ssh]: Starting up Oct 17 17:35:46 zabbix sssd[pac]: Starting up Oct 17 17:35:46 zabbix [sssd[ldap_child[6659]]]: Error writing to key table Oct 17 17:35:46 zabbix sssd[pam]: Starting up ## And the following when user "andrew" tries to sudo on the client. Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error processing keytab file [default]: Principal [host/192-168-0-100.local at LOCAL] was not found. Unable to create GSSAPI-encrypted LDAP connection. Oct 17 17:37:10 zabbix [sssd[ldap_child[6667]]]: Error writing to key table ## The user and sudo rules in ipa. [root at 192-168-0-100 ~]# ipa sudorule-show add_sudo Rule name: add_sudo Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Users: andrew [root at 192-168-0-100 ~]# ipa user-show andrew User login: andrew First name: Andrew Last name: Holway Home directory: /home/andrew Login shell: /bin/bash Email address: andrew at local.com UID: 1876600003 GID: 1876600003 Account disabled: False Password: True Member of groups: admins, ipausers, trust admins Member of Sudo rule: add_sudo Kerberos keys available: True SSH public key fingerprint: 35:08:9D:5E:F7:96:2A:FA:E4:60:76:4E:8A:12:FE:15 (ssh-dss) ## /etc/sssd/sssd.conf on the client [domain/192-168-0-100.local] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = LOCAL ipa_domain = 192-168-0-100.local id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = 192-168-0-110.local chpass_provider = ipa ipa_server = _srv_, 192-168-0-100.local dns_discovery_domain = 192-168-0-100.local sudo_provider = ldap ldap_uri = ldap://192-168-0-100.local ldap_sudo_search_base = ou=sudoers,dc=local ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/192-168-0-100.local at LOCAL ldap_sasl_realm = local krb5_server = 192-168-0-100.local [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = 192-168-0-100.local [nss] [pam] [sudo] [autofs] [ssh] [pac] ## /etc/nsswitch.conf on client # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files nisplus sudoers: files sss ## selinux SELinux status: disabled on both client and server ## /etc/krb5.conf on the client #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = LOCAL dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] LOCAL = { kdc = 192-168-0-100.local:88 master_kdc = 192-168-0-100.local:88 admin_server = 192-168-0-100.local:749 default_domain = 192-168-0-100.local pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .192-168-0-100.local = LOCAL 192-168-0-100.local = LOCAL .local = LOCAL local = LOCAL