[Freeipa-users] Kerberos Authentication (again)

Fraginhell fraginhell at gmail.com
Thu Dec 11 04:49:17 UTC 2008 

Yes I cannot create the service, It works on the IPA server, I can
create it there ( and delete it again) maybe thats the problem.
I'm sure its not on the IPA server anymore as

ipa-findservice host/ipaclient.labs.example.com.au
No entries found for host/ipaclient.labs.example.com.au

I just checked the clients /etc/krb5.keytab file and it does not exist.
What bothers me is on the server (/var/log/krb5kdc.log) the log says
UNKOWN_SERVER I'm not sure how much of the problem this is.

Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
found in Kerberos database



2008/12/11 Dmitri Pal <dpal at redhat.com>:
> Fraginhell wrote:
>>
>> Dmitri,
>>
>> wow thanks for such a quick reply,
>>
>>
>
> Hm, I might have misread the error in your original post.
> I thought that you managed to create the service record. It looks like it
> failed first.
> Are you saying it fails to create the service itself?
>
> Then this is really on the edge of what I understand (learning product
> myself).
> Can it be that the host is already enrolled with some other kerberos server
> and has a keytab from it?
>
> Sorry if there will be more confusion then help.
> Dmitri
>
>
>>  ipa-getkeytab -s ipaserver.labs.example.com.au -p
>> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab
>> SASL Bind failed!
>>
>> on the server I see
>> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>> found in Kerberos database
>>
>> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>> found in Kerberos database
>>
>> The guide says to add the host principle first on the server if I do a
>> ipa-findservice I can see lots entry for the server but non for the
>> client.
>>
>> Keith.
>>
>>
>>
>>
>>
>> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>>
>>>
>>> Fraginhell wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> Sorry to bring the subject up again, but I can't see for looking where
>>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an
>>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
>>>> Dns and reverse is working correctly.
>>>> IPA server installed without problems and so did the client. On the
>>>> server I can kinit admin and then ipa-finduser admin and  ldapsearch
>>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b
>>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
>>>> My client is configured using the krb5.conf from the docs
>>>>
>>>> [libdefaults]
>>>>  default_realm = LABS.EXAMPLE.COM.AU
>>>>  dns_lookup_realm = true
>>>>  dns_lookup_kdc = true
>>>>  #forwardable = yes
>>>>  ticket_lifetime = 24h
>>>>
>>>> [realms]
>>>>  LABS.EXAMPLE.COM.AU = {
>>>>  kdc = ipaserver.labs.example.com.au:88
>>>>  admin_server = ipaserver.labs.example.com.au:749
>>>>  default_domain = labs.example.com.au
>>>>  }
>>>> [domain_realm]
>>>>  .labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>  labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>
>>>> on the client I can kinit admin
>>>>
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>
>>>> Default principal: admin at LABS.EXAMPLE.COM.AU
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 12/11/08 14:03:18  12/12/08 14:03:16
>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>
>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>> klist: You have no tickets cached
>>>>
>>>> on the ipaserver I can see the authentication complete
>>>>  Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
>>>> admin at LABS.EXAMPLE.COM.AU for
>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
>>>> pre-authentication required
>>>>
>>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
>>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
>>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>
>>>> now when I add the host service
>>>> ipa-addservice host/ipaclient.labs.example.com.au
>>>> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
>>>> provide more information/Server not found in Kerberos database
>>>> On the server I see
>>>>
>>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>>> found in Kerberos database
>>>>
>>>>
>>>>
>>>
>>> Did you do ipa-getkeytab on the client where the service is going to run?
>>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to
>>> retrieve keytab before using service.
>>> The operation will initialize kerberos attributes inside the service
>>> entry.
>>> Without it the service is just an empty container not yet known to KDC.
>>>
>>> Thanks
>>> Dmitri
>>>
>>>>
>>>> According to troubleshooting, this is a dns problem:
>>>> on the server
>>>> nslookup ipaclient
>>>>
>>>> Server:         127.0.0.1
>>>> Address:        127.0.0.1#53
>>>> Name:   ipaclient.labs.example.com.au
>>>> Address: 10.212.50.31
>>>>
>>>>  nslookup 10.212.50.31
>>>> Server:         127.0.0.1
>>>> Address:        127.0.0.1#53
>>>> 31.50.212.10.in-addr.arpa       name = ipaclient.labs.example.com.au.
>>>>
>>>> The other mention in the troubleshooting guide is :
>>>> You may have multiple entries for the same host created by different
>>>> KDCs.
>>>> Not sure what this means? or where to go from here.
>>>>
>>>> Thanks
>>>>
>>>> Keith.
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>
>>>
>
>

More information about the Freeipa-users mailing list