[Freeipa-users] Kerberos Authentication (again)

Dmitri Pal dpal at redhat.com
Thu Dec 11 04:34:55 UTC 2008 

Fraginhell wrote:
> Dmitri,
>
> wow thanks for such a quick reply,
>
>   
Hm, I might have misread the error in your original post.
I thought that you managed to create the service record. It looks like 
it failed first.
Are you saying it fails to create the service itself?

Then this is really on the edge of what I understand (learning product 
myself).
Can it be that the host is already enrolled with some other kerberos 
server and has a keytab from it?

Sorry if there will be more confusion then help.
Dmitri


>  ipa-getkeytab -s ipaserver.labs.example.com.au -p
> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab
> SASL Bind failed!
>
> on the server I see
> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
> found in Kerberos database
>
> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
> authtime 1228964598,  admin at LABS.INFOPLEX.COM.AU for
> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
> found in Kerberos database
>
> The guide says to add the host principle first on the server if I do a
> ipa-findservice I can see lots entry for the server but non for the
> client.
>
> Keith.
>
>
>
>
>
> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>   
>> Fraginhell wrote:
>>     
>>> Hi,
>>>
>>> Sorry to bring the subject up again, but I can't see for looking where
>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an
>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
>>> Dns and reverse is working correctly.
>>> IPA server installed without problems and so did the client. On the
>>> server I can kinit admin and then ipa-finduser admin and  ldapsearch
>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b
>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
>>> My client is configured using the krb5.conf from the docs
>>>
>>> [libdefaults]
>>>  default_realm = LABS.EXAMPLE.COM.AU
>>>  dns_lookup_realm = true
>>>  dns_lookup_kdc = true
>>>  #forwardable = yes
>>>  ticket_lifetime = 24h
>>>
>>> [realms]
>>>  LABS.EXAMPLE.COM.AU = {
>>>  kdc = ipaserver.labs.example.com.au:88
>>>  admin_server = ipaserver.labs.example.com.au:749
>>>  default_domain = labs.example.com.au
>>>  }
>>> [domain_realm]
>>>  .labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>  labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>
>>> on the client I can kinit admin
>>>
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>
>>> Default principal: admin at LABS.EXAMPLE.COM.AU
>>>
>>> Valid starting     Expires            Service principal
>>> 12/11/08 14:03:18  12/12/08 14:03:16
>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt0
>>> klist: You have no tickets cached
>>>
>>> on the ipaserver I can see the authentication complete
>>>  Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
>>> admin at LABS.EXAMPLE.COM.AU for
>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
>>> pre-authentication required
>>>
>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>
>>> now when I add the host service
>>> ipa-addservice host/ipaclient.labs.example.com.au
>>> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
>>> provide more information/Server not found in Kerberos database
>>> On the server I see
>>>
>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>> found in Kerberos database
>>>
>>>
>>>       
>> Did you do ipa-getkeytab on the client where the service is going to run?
>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to
>> retrieve keytab before using service.
>> The operation will initialize kerberos attributes inside the service entry.
>> Without it the service is just an empty container not yet known to KDC.
>>
>> Thanks
>> Dmitri
>>     
>>> According to troubleshooting, this is a dns problem:
>>> on the server
>>> nslookup ipaclient
>>>
>>> Server:         127.0.0.1
>>> Address:        127.0.0.1#53
>>> Name:   ipaclient.labs.example.com.au
>>> Address: 10.212.50.31
>>>
>>>  nslookup 10.212.50.31
>>> Server:         127.0.0.1
>>> Address:        127.0.0.1#53
>>> 31.50.212.10.in-addr.arpa       name = ipaclient.labs.example.com.au.
>>>
>>> The other mention in the troubleshooting guide is :
>>> You may have multiple entries for the same host created by different KDCs.
>>> Not sure what this means? or where to go from here.
>>>
>>> Thanks
>>>
>>> Keith.
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>       
>>

More information about the Freeipa-users mailing list