[Freeipa-devel] kinit: Cannot contact any KDC for realm... from Freeipa clinet (Active Directory trust setup)

rajat gupta rajat.linux at gmail.com
Mon Oct 10 07:43:24 UTC 2016 

https://access.redhat.com/documentation/en-US/Red_Hat_
Enterprise_Linux/7/html/Windows_Integration_Guide/
trust-requirements.html#trust-req-ports

these port are required for trust. Is port 88 required to open from ipa
client to AD?


On Mon, Oct 10, 2016 at 5:23 AM, rajat gupta <rajat.linux at gmail.com> wrote:

> Hi,
>
> I am trying to setup the freeipa  Active Directory trust setup and i am
> following
> the http://www.freeipa.org/page/Active_Directory_trust_setup
> documentation.
>
> I am able to login on freeipa Server with AD users.
>
> But when i am trying to login with some other IPA client machine I am not
> able to to login with AD user.
>
> Required firewall port is opened between freeipa server to AD server and
> freeipa server to freeipa clinets
>
> There is no firewall port is opened between from  freeipa client to AD
> server.
>
> =================================================================
> against addomain from ipaserver :-
>
> ipa01 ~]# KRB5_TRACE=/dev/stdout kinit rajat.g at AD.ADDOMAIN.COM
> [24633] 1476069033.462976: Resolving unique ccache of type KEYRING
> [24633] 1476069033.463027: Getting initial credentials for
> rajat.g at AD.ADDOMAIN.COM
> [24633] 1476069033.465229: Sending request (183 bytes) to AD.ADDOMAIN.COM
> [24633] 1476069033.471891: Resolving hostname ad1.ad.addomain.com
> [24633] 1476069033.474439: Sending initial UDP request to dgram
> 192.168.20.100:88
> [24633] 1476069033.487765: Received answer (212 bytes) from dgram
> 192.168.20.100:88
> [24633] 1476069033.488098: Response was not from master KDC
> [24633] 1476069033.488136: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [24633] 1476069033.488179: Processing preauth types: 16, 15, 19, 2
> [24633] 1476069033.488192: Selected etype info: etype aes256-cts, salt
> "AD.ADDOMAIN.COMRajat.Gupta", params ""
> [24633] 1476069033.488215: PKINIT client has no configured identity;
> giving up
> [24633] 1476069033.488233: PKINIT client has no configured identity;
> giving up
> [24633] 1476069033.488242: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [24633] 1476069033.488250: PKINIT client has no configured identity;
> giving up
> [24633] 1476069033.488255: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> Password for rajat.g at AD.ADDOMAIN.COM:
>
> this is working fine.
> =================================================================
>
>
> =================================================================
> against addomain from ipaclinet :-
>
> *ipaclinet ~] #  KRB5_TRACE=/dev/stdout kinit  rajat.g at AD.ADDOMAIN.COM
> <rajat.g at AD.ADDOMAIN.COM>[4133] 1476067599.43421: Getting initial
> credentials for rajat.g at AD.ADDOMAIN.COM <http://AD.ADDOMAIN.COM>[4133]
> 1476067599.43599: Sending request (183 bytes) to AD.ADDOMAIN.COM
> <http://AD.ADDOMAIN.COM>*
> *[4133] 1476067599.49544: Resolving hostname *
> *ad1.ad.addomain.com <http://ad1.ad.addomain.com>.*
> *[4133] 1476067599.53762: Sending initial UDP request to dgram
> 192.168.20.100*
>
> NOT WORKING
> =================================================================
>
> =================================================================
> against ipdomain from ipaclinet
>
> # KRB5_TRACE=/dev/stdout kinit  admin at IPA.IPASERVER.LOCAL
> [4914] 1476068067.763574: Getting initial credentials for
> admin at IPA.IPASERVER.LOCAL
> [4914] 1476068067.763889: Sending request (177 bytes) to
> IPA.IPASERVER.LOCAL
> [4914] 1476068067.764033: Initiating TCP connection to stream
> 10.246.104.14:88
> [4914] 1476068067.765089: Sending TCP request to stream 192.168.100.100:88
> [4914] 1476068067.767593: Received answer (356 bytes) from stream
> 192.168.100.100:88
> [4914] 1476068067.767603: Terminating TCP connection to stream
> 192.168.100.100:88
> [4914] 1476068067.767661: Response was from master KDC
> [4914] 1476068067.767685: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [4914] 1476068067.767730: Processing preauth types: 136, 19, 2, 133
> [4914] 1476068067.767742: Selected etype info: etype aes256-cts, salt
> "k},(k&+qA)Mosf6z", params ""
> [4914] 1476068067.767747: Received cookie: MIT
> Password for admin at IPA.IPASERVER.LOCAL:
>
> this is working fine.
> =================================================================
>
>
> it looks for password-based authentication requests, the IPA clients
> connect directly to the AD servers using Kerberos.
>
> then there is port firewall opening required  between ipaclinet and AD
> Server as well. Is it required ? OR I am doing something wrong.
>
> /Rajat
>
>
>
>
>
>
>
>
> --
>
> *Rajat Gupta *
>



-- 

*Rajat Gupta *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161010/1668243e/attachment.htm>

More information about the Freeipa-devel mailing list