That's right, I did have ipa_server set to _srv_, must have edited
it at one point.
If you added this master through replica promotion, _srv_ might
have
been left from the previous ipa-client-install.
> 6. okt. 2017 kl. 12.37 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>
> On pe, 06 loka 2017, Marius Bjørnstad wrote:
>> Wow that's well spotted! That IP is the 4.4 server (I just blindly
>> assumed that it would use the value in krb5.conf, which is the 4.5
>> server). It goes to 248 every time.
>>
>> strace showed me that kinit gets the IP address from
>> /var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the
>> IP address of the other master. I changed it to 192.168.1.249, the 4.5
>> master, and it works!
> This is fixed in 4.6.1 and backported to 4.5. In short, check
> /etc/sssd/sssd.conf on the 4.5 master to see if it has _srv_ in
> 'ipa_server' option. If it does, remove it from there and only leave
> this master's fqdn
> ipa_server =
master.example.com <
http://master.example.com/>
>
> SSSD also was updated to not write down KDC locator file in case we are
> running on IPA master (ipa_server_mode = True).
>
>
>>
>>
>>> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>>>
>>> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>>>> Thanks for the replies! I do have the krb5-pkinit package installed.
>>>> ipa-pkinit-manage status was disabled, but enabling it with
ipa-pkinit-manage enable didn't fix the problem.
>>>>
>>>> $ ipa pkinit-status --server=SERVER_NAME
>>>> says PKINIT is disabled.
>>>> # ipa-pkinit-manage status
>>>> now says it is enabled.
>>>> $ ipa config-show
>>>> does not list any IPA masters supporting PKINIT.
>>>>
>>>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>>>
>>>> I should note that we now have one server on 4.4, which I daren't
touch, and this one on 4.5 which is having issues.
>>>>
>>>> This is the output from kinit -n as my user, with KRB5_TRACE on. I
terminated it at the password prompt. So there is something wrong with the KDC?
>>>>
>>>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>>>> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
>>>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>>>> [3790] 1507282499.681128: Initiating TCP connection to stream
192.168.1.248:88
>>>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>>>> [3790] 1507282499.683001: Received answer (296 bytes) from stream
192.168.1.248:88
>>>> [3790] 1507282499.683008: Terminating TCP connection to stream
192.168.1.248:88
>>>> [3790] 1507282499.683039: Response was from master KDC
>>>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
>>>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>>>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>>>> [3790] 1507282499.683081: Received cookie: MIT
>>>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real)
returned: -1765328252/Password read interrupted
>>>
>>> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>>>
>>>
>>>>
>>>>
>>>>
>>>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy
<abokovoy(a)redhat.com>:
>>>>>
>>>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>>>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>>>>>
>>>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>>>
>>>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>>>>>>>>> 192.168.1.48:244] CalledProcessError: Command
'/usr/bin/kinit -n -c
>>>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>>>
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>>>> non-zero exit status 1
>>>>>>>>
>>>>>>>> Do you have krb5-pkinit installed? I think there is a
dependency
>>>>>>>> missing. And I ran "ipa-pkinit-manage enable",
but I don't remember if
>>>>>>>> it's needed for WebUI login.
>>>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>>>
>>>>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>>>>> This should not be a problem for the case above because it is IPA
>>>>> master, not a client here.
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
>>>
>>> --
>>> / Alexander Bokovoy
>>
>
> --
> / Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org