On ma, 11 maalis 2019, Callum Smith wrote:
Dear Alexander,
Some more (hopefully) helpful information with a KRB5_TRACE on while
running ipa-client install:
Thanks, I just sent a request for basically the same. ;)
ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
Realm: IN.BMRC.OX.AC.UK
DNS Domain: virt.in.bmrc.ox.ac.uk
IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk
BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk>:
[7792] 1552322394.293495: ccselect module realm chose cache FILE:/tmp/krbccQ6OHiN/ccache
with client principal ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> for
server principal
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
[7792] 1552322394.293496: Getting credentials
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> ->
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
using ccache FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293497: Retrieving
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> ->
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
from FILE:/tmp/krbccQ6OHiN/ccache with result: -1765328243/Matching credential not found
(filename: /tmp/krbccQ6OHiN/ccache)
[7792] 1552322394.293498: Retrieving
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> ->
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
from FILE:/tmp/krbccQ6OHiN/ccache with result: 0/Success
[7792] 1552322394.293499: Starting with TGT for client realm:
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> ->
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
[7792] 1552322394.293500: Requesting tickets for
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>,
referrals on
[7792] 1552322394.293501: Generated subkey for TGS request: aes256-cts/6474
[7792] 1552322394.293502: etypes requested in TGS request: aes256-cts,
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts,
camellia256-cts
[7792] 1552322394.293504: Encoding request body and padata into FAST request
[7792] 1552322394.293505: Sending request (985 bytes) to IN.BMRC.OX.AC.UK
[7792] 1552322394.293506: Resolving hostname ipa-b.virt.in.bmrc.ox.ac.uk
[7792] 1552322394.293507: Initiating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293508: Sending TCP request to stream 10.141.31.252:88
[7792] 1552322394.293509: Received answer (883 bytes) from stream
10.141.31.252:88
[7792] 1552322394.293510: Terminating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293511: Response was from master KDC
[7792] 1552322394.293512: Decoding FAST response
[7792] 1552322394.293513: FAST reply key: aes256-cts/7B54
[7792] 1552322394.293514: TGS reply is for
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> ->
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
with session key aes256-cts/0013
[7792] 1552322394.293515: TGS request result: 0/Success
[7792] 1552322394.293516: Received creds for desired service
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
[7792] 1552322394.293517: Storing ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk>
->
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
in FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293519: Creating authenticator for
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> ->
ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>,
seqnum 27249405, subkey aes256-cts/2328, session key aes256-cts/0013
Unable to download CA cert from LDAP.
Ok, so the client actually asks for the ldap/ipa-b.virt.$domain already,
good. It means the server is only knowing about the key for
ldap/ipa-b.$domain.
An option would be to turn ldap/ipa-b.virt.$domain into a service
principal alias of ldap/ipa-b.$domain.
You would need to delete ldap/ipa-b.virt.$domain principal first.
ipa service-del ldap/ipa-b.virt.$domain
and then add it as an alias for ldap/ipa-b.$domain:
ipa service-add-principal ldap/ipa-b.$domain ldap/ipa-b.virt.$domain
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
