[Freeipa-users] Re: Sub-zone client fails to install, GSS authentication pre-auth issues

Tue, 12 Mar 2019 04:57:06 -0700 

Dear Alexander,

No worries - here's the krb5kdc.log relevant area when you get a moment. I 
understand that service aliases are relatively new to FreeIPA so debugging them 
is proving to be a bit tricky.

Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes 
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH: 
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> for 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>,
 Additional pre-authentication required
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes 
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes 
{rep=18 tkt=18 ses=18}, ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> 
for 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes 
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes 
{rep=18 tkt=18 ses=18}, ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> 
for 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes 
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes 
{rep=18 tkt=18 ses=18}, ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> 
for 
HTTP/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:HTTP/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (1 etypes 
{18}) 10.141.17.1: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18}, 
ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> for 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes 
{18 17 20 19 16 23 25 26}) 10.141.248.2: ISSUE: authtime 1552388071, etypes 
{rep=18 tkt=18 ses=18}, ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> 
for 
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes 
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH: 
host/virt-test.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:host/virt-test.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
 for 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>,
 Additional pre-authentication required
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes 
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes 
{rep=18 tkt=18 ses=18}, 
host/virt-test.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:host/virt-test.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
 for 
krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11

We're very grateful for your time - particularly when it may be taking you away 
from things like implementing the Global Catalogue we're eager for :D.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>

On 12 Mar 2019, at 11:52, Alexander Bokovoy 
<aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote:

On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
ldap/ipa-b.virt.$domain > ldap/ipa-b.$domain
HTTP/ipa-b.virt.$domain > HTTP/ipa-b.$domain

both aliases as above - krb5trace should be in attachments on previous message.
My bad. Thanks, can you also give krb5kdc.log output from the KDC server the
client talked to?

It looks like KDC is not finding something and returning PROCESS_TGS. I
have no time to look into details right now.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to