[Freeipa-devel] kinit: Cannot contact any KDC for realm... from Freeipa clinet (Active Directory trust setup)

rajat gupta rajat.linux at gmail.com
Mon Oct 10 03:23:32 UTC 2016 

Hi,

I am trying to setup the freeipa  Active Directory trust setup and i am
following
the http://www.freeipa.org/page/Active_Directory_trust_setup documentation.

I am able to login on freeipa Server with AD users.

But when i am trying to login with some other IPA client machine I am not
able to to login with AD user.

Required firewall port is opened between freeipa server to AD server and
freeipa server to freeipa clinets

There is no firewall port is opened between from  freeipa client to AD
server.

=================================================================
against addomain from ipaserver :-

ipa01 ~]# KRB5_TRACE=/dev/stdout kinit rajat.g at AD.ADDOMAIN.COM
[24633] 1476069033.462976: Resolving unique ccache of type KEYRING
[24633] 1476069033.463027: Getting initial credentials for
rajat.g at AD.ADDOMAIN.COM
[24633] 1476069033.465229: Sending request (183 bytes) to AD.ADDOMAIN.COM
[24633] 1476069033.471891: Resolving hostname ad1.ad.addomain.com
[24633] 1476069033.474439: Sending initial UDP request to dgram
192.168.20.100:88
[24633] 1476069033.487765: Received answer (212 bytes) from dgram
192.168.20.100:88
[24633] 1476069033.488098: Response was not from master KDC
[24633] 1476069033.488136: Received error from KDC: -1765328359/Additional
pre-authentication required
[24633] 1476069033.488179: Processing preauth types: 16, 15, 19, 2
[24633] 1476069033.488192: Selected etype info: etype aes256-cts, salt
"AD.ADDOMAIN.COMRajat.Gupta", params ""
[24633] 1476069033.488215: PKINIT client has no configured identity; giving
up
[24633] 1476069033.488233: PKINIT client has no configured identity; giving
up
[24633] 1476069033.488242: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[24633] 1476069033.488250: PKINIT client has no configured identity; giving
up
[24633] 1476069033.488255: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for rajat.g at AD.ADDOMAIN.COM:

this is working fine.
=================================================================


=================================================================
against addomain from ipaclinet :-

*ipaclinet ~] #  KRB5_TRACE=/dev/stdout kinit  rajat.g at AD.ADDOMAIN.COM
<rajat.g at AD.ADDOMAIN.COM>[4133] 1476067599.43421: Getting initial
credentials for rajat.g at AD.ADDOMAIN.COM <http://AD.ADDOMAIN.COM>[4133]
1476067599.43599: Sending request (183 bytes) to AD.ADDOMAIN.COM
<http://AD.ADDOMAIN.COM>*
*[4133] 1476067599.49544: Resolving hostname *
*ad1.ad.addomain.com <http://ad1.ad.addomain.com>.*
*[4133] 1476067599.53762: Sending initial UDP request to dgram
192.168.20.100*

NOT WORKING
=================================================================

=================================================================
against ipdomain from ipaclinet

# KRB5_TRACE=/dev/stdout kinit  admin at IPA.IPASERVER.LOCAL
[4914] 1476068067.763574: Getting initial credentials for
admin at IPA.IPASERVER.LOCAL
[4914] 1476068067.763889: Sending request (177 bytes) to IPA.IPASERVER.LOCAL
[4914] 1476068067.764033: Initiating TCP connection to stream
10.246.104.14:88
[4914] 1476068067.765089: Sending TCP request to stream 192.168.100.100:88
[4914] 1476068067.767593: Received answer (356 bytes) from stream
192.168.100.100:88
[4914] 1476068067.767603: Terminating TCP connection to stream
192.168.100.100:88
[4914] 1476068067.767661: Response was from master KDC
[4914] 1476068067.767685: Received error from KDC: -1765328359/Additional
pre-authentication required
[4914] 1476068067.767730: Processing preauth types: 136, 19, 2, 133
[4914] 1476068067.767742: Selected etype info: etype aes256-cts, salt
"k},(k&+qA)Mosf6z", params ""
[4914] 1476068067.767747: Received cookie: MIT
Password for admin at IPA.IPASERVER.LOCAL:

this is working fine.
=================================================================


it looks for password-based authentication requests, the IPA clients
connect directly to the AD servers using Kerberos.

then there is port firewall opening required  between ipaclinet and AD
Server as well. Is it required ? OR I am doing something wrong.

/Rajat








-- 

*Rajat Gupta *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161010/bb8fc9b8/attachment.htm>

More information about the Freeipa-devel mailing list