Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that it
would use the value in krb5.conf, which is the 4.5 server). It goes to 248 every time.
strace showed me that kinit gets the IP address from
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP address of the
other master. I changed it to 192.168.1.249, the 4.5 master, and it works!
6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy
<abokovoy(a)redhat.com>:
On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
> Thanks for the replies! I do have the krb5-pkinit package installed.
> ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable
didn't fix the problem.
>
> $ ipa pkinit-status --server=SERVER_NAME
> says PKINIT is disabled.
> # ipa-pkinit-manage status
> now says it is enabled.
> $ ipa config-show
> does not list any IPA masters supporting PKINIT.
>
> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>
> I should note that we now have one server on 4.4, which I daren't touch, and this
one on 4.5 which is having issues.
>
> This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it at
the password prompt. So there is something wrong with the KDC?
>
> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
> [3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
> [3790] 1507282499.683001: Received answer (296 bytes) from stream 192.168.1.248:88
> [3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
> [3790] 1507282499.683039: Response was from master KDC
> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
> [3790] 1507282499.683081: Received cookie: MIT
> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>
>
>
>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>>
>> On to, 05 loka 2017, Jochen Hein wrote:
>>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>>
>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>
>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit
-n -c
>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'
returned
>>>>>> non-zero exit status 1
>>>>>
>>>>> Do you have krb5-pkinit installed? I think there is a dependency
>>>>> missing. And I ran "ipa-pkinit-manage enable", but I
don't remember if
>>>>> it's needed for WebUI login.
>>>> Looking into RHEL/CentOS spec file, I see:
>>>
>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>> This should not be a problem for the case above because it is IPA
>> master, not a client here.
>>
>> --
>> / Alexander Bokovoy
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
--
/ Alexander Bokovoy