Just learned a new keyboard shortcut in my mail client. Didn't mean to send without
saying thanks a lot, that was very helpful.
6. okt. 2017 kl. 12.24 skrev Marius Bjørnstad via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>:
Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that it
would use the value in krb5.conf, which is the 4.5 server). It goes to 248 every time.
strace showed me that kinit gets the IP address from
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP address of the
other master. I changed it to 192.168.1.249, the 4.5 master, and it works!
> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>>:
>
> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>> Thanks for the replies! I do have the krb5-pkinit package installed.
>> ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage
enable didn't fix the problem.
>>
>> $ ipa pkinit-status --server=SERVER_NAME
>> says PKINIT is disabled.
>> # ipa-pkinit-manage status
>> now says it is enabled.
>> $ ipa config-show
>> does not list any IPA masters supporting PKINIT.
>>
>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>
>> I should note that we now have one server on 4.4, which I daren't touch, and
this one on 4.5 which is having issues.
>>
>> This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it
at the password prompt. So there is something wrong with the KDC?
>>
>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL <mailto:WELLKNOWN/ANONYMOUS@OUS.NSC.LOCAL>
>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>> [3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>> [3790] 1507282499.683001: Received answer (296 bytes) from stream
192.168.1.248:88
>> [3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.683039: Response was from master KDC
>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>> [3790] 1507282499.683081: Received cookie: MIT
>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
>
> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>
>
>>
>>
>>
>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>>:
>>>
>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>> Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>> writes:
>>>>
>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>
>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>>>>>>> 192.168.1.48:244] CalledProcessError: Command
'/usr/bin/kinit -n -c
>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>> non-zero exit status 1
>>>>>>
>>>>>> Do you have krb5-pkinit installed? I think there is a
dependency
>>>>>> missing. And I ran "ipa-pkinit-manage enable", but I
don't remember if
>>>>>> it's needed for WebUI login.
>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>
>>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>>> This should not be a problem for the case above because it is IPA
>>> master, not a client here.
>>>
>>> --
>>> / Alexander Bokovoy
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> --
> / Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org