OK, here is the output (quite slow in doing the second kinit but did succeed in the end):
# KRB5CCNAME=FILE:/tmp/armor_ccache kinit -k
'host/ipa-server.localdomain@LOCALREALM'
# KRB5_TRACE=/dev/stdout kinit -T FILE:/tmp/armor_ccache rns@LOCALREALM
[59156] 1560216478.835910: Getting initial credentials for rns@LOCALREALM
[59156] 1560216478.835911: FAST armor ccache: FILE:/tmp/armor_ccache
[59156] 1560216478.835912: Retrieving host/ipa-server.localdomain@LOCALREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: from
FILE:/tmp/armor_ccache with result: 0/Success
[59156] 1560216478.835913: Read config in FILE:/tmp/armor_ccache for
krbtgt/LOCALREALM@LOCALREALM: fast_avail: yes
[59156] 1560216478.835914: Using FAST due to armor ccache negotiation result
[59156] 1560216478.835915: Getting credentials host/ipa-server.localdomain@LOCALREALM
-> krbtgt/LOCALREALM@LOCALREALM using ccache FILE:/tmp/armor_ccache
[59156] 1560216478.835916: Retrieving host/ipa-server.localdomain@LOCALREALM ->
krbtgt/LOCALREALM@LOCALREALM from FILE:/tmp/armor_ccache with result: 0/Success
[59156] 1560216478.835917: Armor ccache sesion key: aes256-cts/DD29
[59156] 1560216478.835919: Creating authenticator for
host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM, seqnum 0,
subkey aes256-cts/F86D, session key aes256-cts/DD29
[59156] 1560216478.835921: FAST armor key: aes256-cts/6B25
[59156] 1560216478.835923: Sending unauthenticated request
[59156] 1560216478.835924: Encoding request body and padata into FAST request
[59156] 1560216478.835925: Sending request (1790 bytes) to LOCALREALM
[59156] 1560216478.835926: Initiating TCP connection to stream 172.22.6.6:88
[59156] 1560216478.835927: Sending TCP request to stream 172.22.6.6:88
[59156] 1560216488.846431: Sending initial UDP request to dgram 172.22.6.6:88
[59156] 1560216491.848556: Sending retry UDP request to dgram 172.22.6.6:88
[59156] 1560216494.267665: Received answer (640 bytes) from dgram 172.22.6.6:88
[59156] 1560216494.267666: Terminating TCP connection to stream 172.22.6.6:88
[59156] 1560216494.267667: Response was from master KDC
[59156] 1560216494.267668: Received error from KDC: -1765328359/Additional
pre-authentication required
[59156] 1560216494.267669: Decoding FAST response
[59156] 1560216494.267672: Preauthenticating using KDC method data
[59156] 1560216494.267673: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147),
PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[59156] 1560216494.267674: Selected etype info: etype aes256-cts, salt
";A*b)Z`R_}=lEJ&a", params ""
[59156] 1560216494.267675: Received cookie: MIT
[59156] 1560216494.267676: PKINIT client has no configured identity; giving up
[59156] 1560216494.267677: Preauth module pkinit (147) (info) returned: 0/Success
[59156] 1560216494.267678: PKINIT client has no configured identity; giving up
[59156] 1560216494.267679: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
[59156] 1560216494.267680: PKINIT client has no configured identity; giving up
[59156] 1560216494.267681: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
Password for rns@LOCALREALM:
[59156] 1560216500.214090: Preauth module encrypted_challenge (138) (real) returned:
0/Success
[59156] 1560216500.214091: Produced preauth for next request: PA-FX-COOKIE (133),
PA-ENCRYPTED-CHALLENGE (138)
[59156] 1560216500.214092: Encoding request body and padata into FAST request
[59156] 1560216500.214093: Sending request (1889 bytes) to LOCALREALM
[59156] 1560216500.214094: Initiating TCP connection to stream 172.22.6.6:88
[59156] 1560216500.214095: Sending TCP request to stream 172.22.6.6:88
[59156] 1560216500.214096: Received answer (1101 bytes) from stream 172.22.6.6:88
[59156] 1560216500.214097: Terminating TCP connection to stream 172.22.6.6:88
[59156] 1560216500.214098: Response was not from master KDC
[59156] 1560216500.214099: Decoding FAST response
[59156] 1560216500.214100: Processing preauth types: PA-ETYPE-INFO2 (19),
PA-ENCRYPTED-CHALLENGE (138)
[59156] 1560216500.214101: Selected etype info: etype aes256-cts, salt
";A*b)Z`R_}=lEJ&a", params ""
[59156] 1560216500.214102: Preauth module encrypted_challenge (138) (real) returned:
0/Success
[59156] 1560216500.214103: Produced preauth for next request: (empty)
[59156] 1560216500.214104: AS key determined by preauth: aes256-cts/F080
[59156] 1560216500.214105: FAST reply key: aes256-cts/6C07
[59156] 1560216500.214106: Decrypted AS reply; session key is: aes256-cts/3A0A
[59156] 1560216500.214107: FAST negotiation: available
[59156] 1560216500.214108: Initializing KEYRING:persistent:0:0 with default princ
rns@LOCALREALM
[59156] 1560216500.214109: Storing rns@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM in
KEYRING:persistent:0:0
[59156] 1560216500.214110: Storing config in KEYRING:persistent:0:0 for
krbtgt/LOCALREALM@LOCALREALM: fast_avail: yes
[59156] 1560216500.214111: Storing rns@LOCALREALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: in
KEYRING:persistent:0:0
[59156] 1560216500.214112: Storing config in KEYRING:persistent:0:0 for
krbtgt/LOCALREALM@LOCALREALM: pa_type: 138
[59156] 1560216500.214113: Storing rns@LOCALREALM ->
krb5_ccache_conf_data/pa_type/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: in
KEYRING:persistent:0:0
Regards,
Robert.
Show replies by date