Hi everyone,
I am pretty new to freeipa and i like it a lot but I have one problem which I cannot solve
I am using ipa-server (freeipa-server) on ubuntu 18.10 and ipa-clients debian 9, so I am
not using ipa-client package only nscd & sssd and configuration. All clients are
successfully enrolled provided with keytab file. Some clients works fine and it looks like
this (in /var/log/auth.log):
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: NEEDED_PREAUTH: host/some-working-host.domain.com(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18},
host/some-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM
Nov 26 17:54:02 ipa krb5kdc[1345]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18},
host/some-working-host.domain.com(a)DOMAIN.COM for ldap/ipa.domain.com(a)DOMAIN.COM
and some are not provided with the ldap line:
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: NEEDED_PREAUTH: host/some-not-working-host.domain.com(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: ISSUE: authtime 1543255971, etypes {rep=18 tkt=18 ses=18},
host/some-not-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM
(lines with "closing down fd 12" was omitted, also hostnames IPs and domains was
replaced)
I've checked DNS settings, time difference and various logs but with no success.
I've also try to remove rm -f /var/lib/sss/db/* and reinstall client packages.
Do you have any idea where and what should I look for regarding this issue?
Show replies by date