[Freeipa-users] GSSAPI Failure
Konstantin Kozlov
kozlov at spbcas.ru
Tue Nov 11 14:10:09 UTC 2008
Simo Sorce wrote:
> On Tue, 2008-11-11 at 16:50 +0300, Konstantin Kozlov wrote:
>> Well, during the last day I've reinstalled ipaserver (Fedora 9) and
>> ipaclient (CentOS 5). It worked for about 15 min :). I've added one
>> user, nfs, cifs and host principals, automounter schema and principal
>> for winxp host with rc4-hmac encryption. Automounter worked, I could
>> login to ipaserver with ipauser and had the home dir automounted.
>> Then
>> "suddenly" I've started to get the same error.
>>
>> I have one master - ipaserver on Fedora 9
>> and one client on CentOS 5 with recompiled srpms from RHEL.
>>
>> rpm on Fedora are all updated (may be this is bad?)
>>
>> Kerberos works, I can get tickets for admin and ipauser.
>>
>> Do you have any ideas?
>
> As I said check krb5kdc.log please.
>
> Simo.
>
tail /var/log/krb5kdc.log:
Nov 11 16:41:06 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666,
etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for
ldap/ipaserver.example.com at example.com
Nov 11 16:41:06 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666,
etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for
ldap/ipaserver.example.com at example.com
Nov 11 16:41:06 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666,
etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for
ldap/ipaserver.example.com at example.com
Nov 11 16:41:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1
etypes {18}) 10.10.1.185: ISSUE: authtime 1226410666, etypes {rep=18
tkt=18 ses=18}, kkozlov at example.com for krbtgt/example.com at example.com
Nov 11 16:41:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666,
etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for
ldap/ipaserver.example.com at example.com
Nov 11 17:03:09 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1
etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18
tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com
Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1
etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18
tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com
Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1
etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18
tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com
Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1
etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18
tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com
Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226407271,
etypes {rep=18 tkt=18 ses=18}, admin at example.com for
ldap/ipaserver.example.com at example.com
I suspect that the system was unhappy with rc4-hmac in ipa-getkeytab
command as it is not listed in supported enctypes. Is it possible?
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
More information about the Freeipa-users
mailing list