[Freeipa-users] Unable to authenticate a client user against IPA
Rob Crittenden
rcritten at redhat.com
Wed Mar 9 04:29:27 UTC 2011
Steven Jones wrote:
> Hi,
>
> Log,
>
The error is "Host is already joined" so no keytab is requested. The
enrollment failed.
ipa-client-install --uninstall should unenroll the client (you can
verify that Keytab is False in ipa host-show <client_fqdn> on the IPA
server.
If so running ipa-client-install on the client should configure things
properly.
rob
> ============
> 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
> with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
> 'force': True, 'sssd': True, 'hostname': None, 'permit': False,
> 'server': None, 'prompt_password': False, 'realm_name': None,
> 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
> None, 'mkhomedir': False, 'unattended': None, 'principal': None}
> 2011-03-04 15:08:58,726 DEBUG missing options might be asked for
> interactively later
>
> 2011-03-04 15:08:58,726 DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
> 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
> 2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
> 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
> -O /tmp/tmp7MhOze/ca.crt
> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> 2011-03-04 15:08:58,736 DEBUG stdout=
> 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/tmp/tmp7MhOze/ca.crt'
>
> 0K . 100%
> 237M=0s
>
> 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
> [1321/1321]
>
>
> 2011-03-04 15:08:58,736 DEBUG Init ldap with:
> ldap://fed14-64-ipam001.ipa.ac.nz:389
> 2011-03-04 15:08:58,749 DEBUG Search rootdse
> 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
> dc=ipa,dc=ac,dc=nz(base)
> 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
> {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
> 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
> ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
> 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
> in dc=ipa,dc=ac,dc=nz(sub)
> 2011-03-04 15:08:58,753 DEBUG Found:
> [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
> ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
> ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
> 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
> 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
> 'krbMaxRenewableAge': ['604800']})]
> 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
>
> 2011-03-04 15:08:58,753 DEBUG will use server:
> fed14-64-ipam001.ipa.ac.nz
>
> 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
>
> 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
>
> 2011-03-04 15:09:04,645 DEBUG will use principal: admin
>
> 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> 2011-03-04 15:09:04,659 DEBUG stdout=
> 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1321 (1.3K) [application/x-x509-ca-cert]
> Saving to: `/etc/ipa/ca.crt'
>
> 0K . 100%
> 249M=0s
>
> 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
>
>
> 2011-03-04 15:09:11,665 DEBUG args=kinit admin at IPA.AC.NZ
> 2011-03-04 15:09:11,665 DEBUG stdout=Password for admin at IPA.AC.NZ:
>
> 2011-03-04 15:09:11,665 DEBUG stderr=
> 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
> fed14-64-ipam001.ipa.ac.nz
> 2011-03-04 15:09:13,931 DEBUG stdout=
> 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.
>
> 2011-03-04 15:09:13,937 DEBUG args=kdestroy
> 2011-03-04 15:09:13,937 DEBUG stdout=
> 2011-03-04 15:09:13,937 DEBUG stderr=
> 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
> '/etc/ipa/default.conf'
> 2011-03-04 15:09:13,938 DEBUG -> Not backing up -
> '/etc/ipa/default.conf' doesn't exist
> 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
> '/etc/sssd/sssd.conf'
> 2011-03-04 15:09:13,938 DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
> -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
> 2011-03-04 15:09:14,012 DEBUG stdout=
> 2011-03-04 15:09:14,012 DEBUG stderr=
> 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file
> '/etc/krb5.conf'
> 2011-03-04 15:09:14,013 DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status
> 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped
>
> 2011-03-04 15:09:14,104 DEBUG stderr=
> 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart
> 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED]
> Starting certmonger: [ OK ]
>
> 2011-03-04 15:09:14,280 DEBUG stderr=
> 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list
> 2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off 1:off 2:off
> 3:off 4:off 5:off 6:off
>
> 2011-03-04 15:09:14,295 DEBUG stderr=
> 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on
> 2011-03-04 15:09:14,564 DEBUG stdout=
> 2011-03-04 15:09:14,564 DEBUG stderr=
> 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb
> -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N
> CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K
> host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ
> 2011-03-04 15:09:14,586 DEBUG stdout=Error
> org.fedorahosted.certmonger.duplicate: Certificate at same location is
> already used by request "20110303020539".
>
> 2011-03-04 15:09:14,586 DEBUG stderr=
> 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
> 2011-03-04 15:09:14,605 DEBUG stdout=
> 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be
> canonicalized when creating default server principal name
>
> 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate
> -g /etc/ipa/.dns_update.txt
> 2011-03-04 15:09:14,764 DEBUG stdout=
> 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may
> have expired.
>
> 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status
> 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running...
>
> 2011-03-04 15:09:14,827 DEBUG stderr=
> 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop
> 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [ OK ]
>
> 2011-03-04 15:09:14,856 DEBUG stderr=
> 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list
> 2011-03-04 15:09:14,858 DEBUG stdout=nscd 0:off 1:off 2:on
> 3:on 4:on 5:on 6:off
>
> 2011-03-04 15:09:14,858 DEBUG stderr=
> 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off
> 2011-03-04 15:09:14,958 DEBUG stdout=
> 2011-03-04 15:09:14,958 DEBUG stderr=
> 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd
> --enablesssdauth --update
> 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [ OK ]
> [ OK ]
>
> 2011-03-04 15:09:16,402 DEBUG stderr=
> 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin
> 2011-03-04 15:09:16,419 DEBUG stdout=
> 2011-03-04 15:09:16,419 DEBUG stderr=
> 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin
> 2011-03-04 15:09:17,424 DEBUG stdout=
> 2011-03-04 15:09:17,424 DEBUG stderr=
> 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin
> 2011-03-04 15:09:18,429 DEBUG stdout=
> 2011-03-04 15:09:18,429 DEBUG stderr=
> 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin
> 2011-03-04 15:09:19,432 DEBUG stdout=
> 2011-03-04 15:09:19,432 DEBUG stderr=
> 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin
> 2011-03-04 15:09:20,436 DEBUG stdout=
> 2011-03-04 15:09:20,436 DEBUG stderr=
> 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5
> --update --nostart
> 2011-03-04 15:09:22,303 DEBUG stdout=
> 2011-03-04 15:09:22,303 DEBUG stderr=
> 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file
> '/etc/ntp.conf'
> 2011-03-04 15:09:22,304 DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file
> '/etc/sysconfig/ntpd'
> 2011-03-04 15:09:22,305 DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on
> 2011-03-04 15:09:22,398 DEBUG stdout=
> 2011-03-04 15:09:22,398 DEBUG stderr=
> 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart
> 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [ OK ]
> Starting ntpd: [ OK ]
>
> 2011-03-04 15:09:22,537 DEBUG stderr=
> ============
>
> regards
>
> On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote:
>> On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
>> Stephen Gallagher<sgallagh at redhat.com> wrote:
>>
>>>
>>>
>>> On Mar 8, 2011, at 5:45 PM, Steven Jones<Steven.Jones at vuw.ac.nz>
>>> wrote:
>>>
>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>> KVNO Principal
>>>> ----
>>>> --------------------------------------------------------------------------
>>>>
>>>> 8><---------
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>> Looks like you have no host key in the keytab. That's the root of the
>>> problem. Seems like IPA-client-install failed to populate it. Rob, do
>>> you have any insight here?
>>
>> does /var/log/ipaclient-install.log show any error ?
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list