[Freeipa-users] Kerberos Authentication (again)

Dmitri Pal dpal at redhat.com
Thu Dec 11 05:02:44 UTC 2008 

Fraginhell wrote:
> Yes I cannot create the service, It works on the IPA server, I can
> create it there ( and delete it again) maybe thats the problem.
> I'm sure its not on the IPA server anymore as
>
>   
So on the IPA server you run:

ipa-addservice host/ipaclient.labs.example.com.au

and it works.

Then you delete it on the server, go to the client and try it there and 
it fails. Right?
On the client you did the ipa-client-install and followed the instructions.
And you did  "kinit admin" on client and it worked. I see the ticket below.

Hm...
Does the client nslookup also work and return same result as the one you 
have on the server?

Dmitri
> ipa-findservice host/ipaclient.labs.example.com.au
> No entries found for host/ipaclient.labs.example.com.au
>
> I just checked the clients /etc/krb5.keytab file and it does not exist.
> What bothers me is on the server (/var/log/krb5kdc.log) the log says
> UNKOWN_SERVER I'm not sure how much of the problem this is.
>
> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
> found in Kerberos database
>
>
>
> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>   
>> Fraginhell wrote:
>>     
>>> Dmitri,
>>>
>>> wow thanks for such a quick reply,
>>>
>>>
>>>       
>> Hm, I might have misread the error in your original post.
>> I thought that you managed to create the service record. It looks like it
>> failed first.
>> Are you saying it fails to create the service itself?
>>
>> Then this is really on the edge of what I understand (learning product
>> myself).
>> Can it be that the host is already enrolled with some other kerberos server
>> and has a keytab from it?
>>
>> Sorry if there will be more confusion then help.
>> Dmitri
>>
>>
>>     
>>>  ipa-getkeytab -s ipaserver.labs.example.com.au -p
>>> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab
>>> SASL Bind failed!
>>>
>>> on the server I see
>>> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>> found in Kerberos database
>>>
>>> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>> found in Kerberos database
>>>
>>> The guide says to add the host principle first on the server if I do a
>>> ipa-findservice I can see lots entry for the server but non for the
>>> client.
>>>
>>> Keith.
>>>
>>>
>>>
>>>
>>>
>>> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>>>
>>>       
>>>> Fraginhell wrote:
>>>>
>>>>         
>>>>> Hi,
>>>>>
>>>>> Sorry to bring the subject up again, but I can't see for looking where
>>>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an
>>>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
>>>>> Dns and reverse is working correctly.
>>>>> IPA server installed without problems and so did the client. On the
>>>>> server I can kinit admin and then ipa-finduser admin and  ldapsearch
>>>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b
>>>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
>>>>> My client is configured using the krb5.conf from the docs
>>>>>
>>>>> [libdefaults]
>>>>>  default_realm = LABS.EXAMPLE.COM.AU
>>>>>  dns_lookup_realm = true
>>>>>  dns_lookup_kdc = true
>>>>>  #forwardable = yes
>>>>>  ticket_lifetime = 24h
>>>>>
>>>>> [realms]
>>>>>  LABS.EXAMPLE.COM.AU = {
>>>>>  kdc = ipaserver.labs.example.com.au:88
>>>>>  admin_server = ipaserver.labs.example.com.au:749
>>>>>  default_domain = labs.example.com.au
>>>>>  }
>>>>> [domain_realm]
>>>>>  .labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>>  labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>>
>>>>> on the client I can kinit admin
>>>>>
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>
>>>>> Default principal: admin at LABS.EXAMPLE.COM.AU
>>>>>
>>>>> Valid starting     Expires            Service principal
>>>>> 12/11/08 14:03:18  12/12/08 14:03:16
>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>>
>>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>>> klist: You have no tickets cached
>>>>>
>>>>> on the ipaserver I can see the authentication complete
>>>>>  Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
>>>>> admin at LABS.EXAMPLE.COM.AU for
>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
>>>>> pre-authentication required
>>>>>
>>>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
>>>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
>>>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>>
>>>>> now when I add the host service
>>>>> ipa-addservice host/ipaclient.labs.example.com.au
>>>>> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
>>>>> provide more information/Server not found in Kerberos database
>>>>> On the server I see
>>>>>
>>>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>>>> found in Kerberos database
>>>>>
>>>>>
>>>>>
>>>>>           
>>>> Did you do ipa-getkeytab on the client where the service is going to run?
>>>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to
>>>> retrieve keytab before using service.
>>>> The operation will initialize kerberos attributes inside the service
>>>> entry.
>>>> Without it the service is just an empty container not yet known to KDC.
>>>>
>>>> Thanks
>>>> Dmitri
>>>>
>>>>         
>>>>> According to troubleshooting, this is a dns problem:
>>>>> on the server
>>>>> nslookup ipaclient
>>>>>
>>>>> Server:         127.0.0.1
>>>>> Address:        127.0.0.1#53
>>>>> Name:   ipaclient.labs.example.com.au
>>>>> Address: 10.212.50.31
>>>>>
>>>>>  nslookup 10.212.50.31
>>>>> Server:         127.0.0.1
>>>>> Address:        127.0.0.1#53
>>>>> 31.50.212.10.in-addr.arpa       name = ipaclient.labs.example.com.au.
>>>>>
>>>>> The other mention in the troubleshooting guide is :
>>>>> You may have multiple entries for the same host created by different
>>>>> KDCs.
>>>>> Not sure what this means? or where to go from here.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Keith.
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>>           
>>>>         
>>

More information about the Freeipa-users mailing list