[Freeipa-users] Kerberos Authentication (again)
Fraginhell
fraginhell at gmail.com
Thu Dec 11 03:15:32 UTC 2008
Hi,
Sorry to bring the subject up again, but I can't see for looking where
I might have gone wrong. I have setup a lab with Fedora 9. I have an
ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
Dns and reverse is working correctly.
IPA server installed without problems and so did the client. On the
server I can kinit admin and then ipa-finduser admin and ldapsearch
-Y GSSAPI -h ipaserver.labs.example.com.au -b
"dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
My client is configured using the krb5.conf from the docs
[libdefaults]
default_realm = LABS.EXAMPLE.COM.AU
dns_lookup_realm = true
dns_lookup_kdc = true
#forwardable = yes
ticket_lifetime = 24h
[realms]
LABS.EXAMPLE.COM.AU = {
kdc = ipaserver.labs.example.com.au:88
admin_server = ipaserver.labs.example.com.au:749
default_domain = labs.example.com.au
}
[domain_realm]
.labs.example.com.au = LABS.EXAMPLE.COM.AU
labs.example.com.au = LABS.EXAMPLE.COM.AU
on the client I can kinit admin
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at LABS.EXAMPLE.COM.AU
Valid starting Expires Service principal
12/11/08 14:03:18 12/12/08 14:03:16
krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
on the ipaserver I can see the authentication complete
Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
admin at LABS.EXAMPLE.COM.AU for
krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
pre-authentication required
Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
now when I add the host service
ipa-addservice host/ipaclient.labs.example.com.au
Could not initialize GSSAPI: Unspecified GSS failure. Minor code may
provide more information/Server not found in Kerberos database
On the server I see
Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for
HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
found in Kerberos database
According to troubleshooting, this is a dns problem:
on the server
nslookup ipaclient
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: ipaclient.labs.example.com.au
Address: 10.212.50.31
nslookup 10.212.50.31
Server: 127.0.0.1
Address: 127.0.0.1#53
31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au.
The other mention in the troubleshooting guide is :
You may have multiple entries for the same host created by different KDCs.
Not sure what this means? or where to go from here.
Thanks
Keith.
More information about the Freeipa-users
mailing list