Chris Moody wrote:
Thanks for taking a look gents. Ask and ye shall receive. :)
What version of IPA is this and what platform?
Before an install can you ensure that there is nothing in
/etc/krb5.conf.d/ (except may be crypto-policies)?
Same with /var/lib/sss/pubconf/krb5.include.d/
Might also be interesting to try to force a specific master by adding
--server <fqdn of master> to the install line, just to see.
I'm guessing the client is old as it doesn't appear to support the
newer-style ipa-getkeytab:
2018-01-17T02:11:50Z DEBUG args=/usr/sbin/ipa-join -s
sfca-do-4.ipa.xyz.com -b dc=ipa,dc=xyz,dc=com -h
sfca-do-1.xyz.com
2018-01-17T02:11:51Z DEBUG Process finished, return code=0
2018-01-17T02:11:51Z DEBUG stdout=
2018-01-17T02:11:51Z DEBUG stderr=Failed to parse result: Failed to
decode GetKeytab Control.
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is:
O=IPA.xyz.COM
2018-01-17T02:11:51Z INFO Enrolled in IPA realm
IPA.xyz.COM
It does look like it enrolls ok and gets a keytab.
Note too that just about this it is able to get a TGT for the admin user
via kinit:
2018-01-17T02:11:50Z DEBUG args=/usr/bin/kinit admin(a)IPA.xyz.COM -c
/tmp/krbccCNSUmS/ccache
The only difference between Kerberos usage between the enrollment and
the rest is that during enrollment a fixed KDC is defined in the
temporary krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
IPA.xyz.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.xyz.COM = {
kdc = sfca-do-4.ipa.xyz.com:88
master_kdc = sfca-do-4.ipa.xyz.com:88
admin_server = sfca-do-4.ipa.xyz.com:749
default_domain =
xyz.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.xyz.com =
IPA.xyz.COM
xyz.com =
IPA.xyz.COM
It is failing trying to autodiscover things later:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
IPA.xyz.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.xyz.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.xyz.com =
IPA.xyz.COM
xyz.com =
IPA.xyz.COM
Discovery appears to be working as expected:
2018-01-17T02:11:41Z DEBUG Search DNS for TXT record of
_kerberos.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: "IPA.xyz.COM"
2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of
_kerberos._udp.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 88
sfca-do-4.ipa.xyz.com.
So I'm not entirely sure what is happening.
rob