[Freeipa-users] Kerberos Authentication (again)

Fraginhell fraginhell at gmail.com
Thu Dec 11 03:15:32 UTC 2008 

Hi,

Sorry to bring the subject up again, but I can't see for looking where
I might have gone wrong. I have setup a lab with Fedora 9. I have an
ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
Dns and reverse is working correctly.
IPA server installed without problems and so did the client. On the
server I can kinit admin and then ipa-finduser admin and  ldapsearch
-Y GSSAPI -h ipaserver.labs.example.com.au -b
"dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
My client is configured using the krb5.conf from the docs

[libdefaults]
 default_realm = LABS.EXAMPLE.COM.AU
 dns_lookup_realm = true
 dns_lookup_kdc = true
 #forwardable = yes
 ticket_lifetime = 24h

[realms]
 LABS.EXAMPLE.COM.AU = {
  kdc = ipaserver.labs.example.com.au:88
  admin_server = ipaserver.labs.example.com.au:749
  default_domain = labs.example.com.au
 }
[domain_realm]
 .labs.example.com.au = LABS.EXAMPLE.COM.AU
 labs.example.com.au = LABS.EXAMPLE.COM.AU

on the client I can kinit admin

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: admin at LABS.EXAMPLE.COM.AU

Valid starting     Expires            Service principal
12/11/08 14:03:18  12/12/08 14:03:16
krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

on the ipaserver I can see the authentication complete
 Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
admin at LABS.EXAMPLE.COM.AU for
krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
pre-authentication required

Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU

now when I add the host service
ipa-addservice host/ipaclient.labs.example.com.au
Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
provide more information/Server not found in Kerberos database
On the server I see

Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
found in Kerberos database

According to troubleshooting, this is a dns problem:
on the server
nslookup ipaclient

Server:		127.0.0.1
Address:	127.0.0.1#53
Name:	ipaclient.labs.example.com.au
Address: 10.212.50.31

 nslookup 10.212.50.31
Server:		127.0.0.1
Address:	127.0.0.1#53
31.50.212.10.in-addr.arpa	name = ipaclient.labs.example.com.au.

The other mention in the troubleshooting guide is :
You may have multiple entries for the same host created by different KDCs.
Not sure what this means? or where to go from here.

Thanks

Keith.

More information about the Freeipa-users mailing list