[Freeipa-users] Kerberos Authentication (again)
Dmitri Pal
dpal at redhat.com
Thu Dec 11 05:02:44 UTC 2008
Fraginhell wrote:
> Yes I cannot create the service, It works on the IPA server, I can
> create it there ( and delete it again) maybe thats the problem.
> I'm sure its not on the IPA server anymore as
>
>
So on the IPA server you run:
ipa-addservice host/ipaclient.labs.example.com.au
and it works.
Then you delete it on the server, go to the client and try it there and
it fails. Right?
On the client you did the ipa-client-install and followed the instructions.
And you did "kinit admin" on client and it worked. I see the ticket below.
Hm...
Does the client nslookup also work and return same result as the one you
have on the server?
Dmitri
> ipa-findservice host/ipaclient.labs.example.com.au
> No entries found for host/ipaclient.labs.example.com.au
>
> I just checked the clients /etc/krb5.keytab file and it does not exist.
> What bothers me is on the server (/var/log/krb5kdc.log) the log says
> UNKOWN_SERVER I'm not sure how much of the problem this is.
>
> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for
> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
> found in Kerberos database
>
>
>
> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>
>> Fraginhell wrote:
>>
>>> Dmitri,
>>>
>>> wow thanks for such a quick reply,
>>>
>>>
>>>
>> Hm, I might have misread the error in your original post.
>> I thought that you managed to create the service record. It looks like it
>> failed first.
>> Are you saying it fails to create the service itself?
>>
>> Then this is really on the edge of what I understand (learning product
>> myself).
>> Can it be that the host is already enrolled with some other kerberos server
>> and has a keytab from it?
>>
>> Sorry if there will be more confusion then help.
>> Dmitri
>>
>>
>>
>>> ipa-getkeytab -s ipaserver.labs.example.com.au -p
>>> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab
>>> SASL Bind failed!
>>>
>>> on the server I see
>>> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for
>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>> found in Kerberos database
>>>
>>> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for
>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>> found in Kerberos database
>>>
>>> The guide says to add the host principle first on the server if I do a
>>> ipa-findservice I can see lots entry for the server but non for the
>>> client.
>>>
>>> Keith.
>>>
>>>
>>>
>>>
>>>
>>> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>>>
>>>
>>>> Fraginhell wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> Sorry to bring the subject up again, but I can't see for looking where
>>>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an
>>>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
>>>>> Dns and reverse is working correctly.
>>>>> IPA server installed without problems and so did the client. On the
>>>>> server I can kinit admin and then ipa-finduser admin and ldapsearch
>>>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b
>>>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
>>>>> My client is configured using the krb5.conf from the docs
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = LABS.EXAMPLE.COM.AU
>>>>> dns_lookup_realm = true
>>>>> dns_lookup_kdc = true
>>>>> #forwardable = yes
>>>>> ticket_lifetime = 24h
>>>>>
>>>>> [realms]
>>>>> LABS.EXAMPLE.COM.AU = {
>>>>> kdc = ipaserver.labs.example.com.au:88
>>>>> admin_server = ipaserver.labs.example.com.au:749
>>>>> default_domain = labs.example.com.au
>>>>> }
>>>>> [domain_realm]
>>>>> .labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>> labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>>
>>>>> on the client I can kinit admin
>>>>>
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>
>>>>> Default principal: admin at LABS.EXAMPLE.COM.AU
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 12/11/08 14:03:18 12/12/08 14:03:16
>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>>
>>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>>> klist: You have no tickets cached
>>>>>
>>>>> on the ipaserver I can see the authentication complete
>>>>> Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
>>>>> admin at LABS.EXAMPLE.COM.AU for
>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
>>>>> pre-authentication required
>>>>>
>>>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
>>>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
>>>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>>
>>>>> now when I add the host service
>>>>> ipa-addservice host/ipaclient.labs.example.com.au
>>>>> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may
>>>>> provide more information/Server not found in Kerberos database
>>>>> On the server I see
>>>>>
>>>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for
>>>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>>>> found in Kerberos database
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Did you do ipa-getkeytab on the client where the service is going to run?
>>>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to
>>>> retrieve keytab before using service.
>>>> The operation will initialize kerberos attributes inside the service
>>>> entry.
>>>> Without it the service is just an empty container not yet known to KDC.
>>>>
>>>> Thanks
>>>> Dmitri
>>>>
>>>>
>>>>> According to troubleshooting, this is a dns problem:
>>>>> on the server
>>>>> nslookup ipaclient
>>>>>
>>>>> Server: 127.0.0.1
>>>>> Address: 127.0.0.1#53
>>>>> Name: ipaclient.labs.example.com.au
>>>>> Address: 10.212.50.31
>>>>>
>>>>> nslookup 10.212.50.31
>>>>> Server: 127.0.0.1
>>>>> Address: 127.0.0.1#53
>>>>> 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au.
>>>>>
>>>>> The other mention in the troubleshooting guide is :
>>>>> You may have multiple entries for the same host created by different
>>>>> KDCs.
>>>>> Not sure what this means? or where to go from here.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Keith.
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>>
>>>>
>>
More information about the Freeipa-users
mailing list