That's right, I did have ipa_server set to _srv_, must have edited it at one point.


6. okt. 2017 kl. 12.37 skrev Alexander Bokovoy <abokovoy@redhat.com>:

On pe, 06 loka 2017, Marius Bjørnstad wrote:
Wow that's well spotted! That IP is the 4.4 server (I just blindly
assumed that it would use the value in krb5.conf, which is the 4.5
server).  It goes to 248 every time.

strace showed me that kinit gets the IP address from
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the
IP address of the other master. I changed it to 192.168.1.249, the 4.5
master, and it works!
This is fixed in 4.6.1 and backported to 4.5. In short, check
/etc/sssd/sssd.conf on the 4.5 master to see if it has _srv_ in
'ipa_server' option. If it does, remove it from there and only leave
this master's fqdn 
ipa_server = master.example.com

SSSD also was updated to not write down KDC locator file in case we are
running on IPA master (ipa_server_mode = True).




6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy@redhat.com>:

On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
Thanks for the replies! I do have the krb5-pkinit package installed.
ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable didn't fix the problem.

$ ipa pkinit-status --server=SERVER_NAME
says PKINIT is disabled.
# ipa-pkinit-manage status
now says it is enabled.
$ ipa config-show
does not list any IPA masters supporting PKINIT.

If I disable then re-enable using ipa-pkinit-manage, nothing changes.

I should note that we now have one server on 4.4, which I daren't touch, and this one on 4.5 which is having issues.

This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it at the password prompt. So there is something wrong with the KDC?

[3790] 1507282499.679169: Resolving unique ccache of type KEYRING
[3790] 1507282499.679205: Getting initial credentials for WELLKNOWN/ANONYMOUS@OUS.NSC.LOCAL
[3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
[3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
[3790] 1507282499.683001: Received answer (296 bytes) from stream 192.168.1.248:88
[3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.683039: Response was from master KDC
[3790] 1507282499.683053: Received error from KDC: -1765328359/Additional pre-authentication required
[3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
[3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt "OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
[3790] 1507282499.683081: Received cookie: MIT
[3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned: -1765328252/Password read interrupted

192.168.1.248 -- which KDC is this? 4.4 or 4.5?





5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy@redhat.com>:

On to, 05 loka 2017, Jochen Hein wrote:
Alexander Bokovoy <abokovoy@redhat.com> writes:

On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:

[Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_7424 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
non-zero exit status 1

Do you have krb5-pkinit installed?  I think there is a dependency
missing.  And I ran "ipa-pkinit-manage enable", but I don't remember if
it's needed for WebUI login.
Looking into RHEL/CentOS spec file, I see:

Hm, then the dependency was missing for the client pakages for Debian/Ubuntu.
This should not be a problem for the case above because it is IPA
master, not a client here.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>

--
/ Alexander Bokovoy


-- 
/ Alexander Bokovoy