[Freeipa-users] Unable to authenticate a client user against IPA
Dmitri Pal
dpal at redhat.com
Wed Mar 9 19:42:12 UTC 2011
On 03/09/2011 02:21 PM, Steven Jones wrote:
> Hi,
>
> I had/have already done the uninstall...and re-install.
>
> Also I registered a brand new 2nd client...that hasnt worked
> either......
>
How did you create the host record for it on the server?
> regards
>
>
> On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> Hi,
>>>
>>> Log,
>>>
>> The error is "Host is already joined" so no keytab is requested. The
>> enrollment failed.
>>
>> ipa-client-install --uninstall should unenroll the client (you can
>> verify that Keytab is False in ipa host-show <client_fqdn> on the IPA
>> server.
>>
>> If so running ipa-client-install on the client should configure things
>> properly.
>>
>> rob
>>
>>> ============
>>> 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
>>> with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
>>> 'force': True, 'sssd': True, 'hostname': None, 'permit': False,
>>> 'server': None, 'prompt_password': False, 'realm_name': None,
>>> 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
>>> None, 'mkhomedir': False, 'unattended': None, 'principal': None}
>>> 2011-03-04 15:08:58,726 DEBUG missing options might be asked for
>>> interactively later
>>>
>>> 2011-03-04 15:08:58,726 DEBUG Loading Index file from
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
>>> 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
>>> 2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
>>> 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
>>> -O /tmp/tmp7MhOze/ca.crt
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> 2011-03-04 15:08:58,736 DEBUG stdout=
>>> 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
>>> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 1321 (1.3K) [application/x-x509-ca-cert]
>>> Saving to: `/tmp/tmp7MhOze/ca.crt'
>>>
>>> 0K . 100%
>>> 237M=0s
>>>
>>> 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
>>> [1321/1321]
>>>
>>>
>>> 2011-03-04 15:08:58,736 DEBUG Init ldap with:
>>> ldap://fed14-64-ipam001.ipa.ac.nz:389
>>> 2011-03-04 15:08:58,749 DEBUG Search rootdse
>>> 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
>>> dc=ipa,dc=ac,dc=nz(base)
>>> 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
>>> {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
>>> 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
>>> ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
>>> 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
>>> in dc=ipa,dc=ac,dc=nz(sub)
>>> 2011-03-04 15:08:58,753 DEBUG Found:
>>> [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
>>> ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
>>> ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
>>> 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
>>> 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
>>> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
>>> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
>>> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
>>> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
>>> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
>>> 'krbMaxRenewableAge': ['604800']})]
>>> 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
>>>
>>> 2011-03-04 15:08:58,753 DEBUG will use server:
>>> fed14-64-ipam001.ipa.ac.nz
>>>
>>> 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
>>>
>>> 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
>>>
>>> 2011-03-04 15:09:04,645 DEBUG will use principal: admin
>>>
>>> 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> 2011-03-04 15:09:04,659 DEBUG stdout=
>>> 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
>>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
>>> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
>>> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 1321 (1.3K) [application/x-x509-ca-cert]
>>> Saving to: `/etc/ipa/ca.crt'
>>>
>>> 0K . 100%
>>> 249M=0s
>>>
>>> 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
>>>
>>>
>>> 2011-03-04 15:09:11,665 DEBUG args=kinit admin at IPA.AC.NZ
>>> 2011-03-04 15:09:11,665 DEBUG stdout=Password for admin at IPA.AC.NZ:
>>>
>>> 2011-03-04 15:09:11,665 DEBUG stderr=
>>> 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
>>> fed14-64-ipam001.ipa.ac.nz
>>> 2011-03-04 15:09:13,931 DEBUG stdout=
>>> 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.
>>>
>>> 2011-03-04 15:09:13,937 DEBUG args=kdestroy
>>> 2011-03-04 15:09:13,937 DEBUG stdout=
>>> 2011-03-04 15:09:13,937 DEBUG stderr=
>>> 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
>>> '/etc/ipa/default.conf'
>>> 2011-03-04 15:09:13,938 DEBUG -> Not backing up -
>>> '/etc/ipa/default.conf' doesn't exist
>>> 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
>>> '/etc/sssd/sssd.conf'
>>> 2011-03-04 15:09:13,938 DEBUG Saving Index File to
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
>>> -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
>>> 2011-03-04 15:09:14,012 DEBUG stdout=
>>> 2011-03-04 15:09:14,012 DEBUG stderr=
>>> 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file
>>> '/etc/krb5.conf'
>>> 2011-03-04 15:09:14,013 DEBUG Saving Index File to
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> 2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status
>>> 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped
>>>
>>> 2011-03-04 15:09:14,104 DEBUG stderr=
>>> 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart
>>> 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED]
>>> Starting certmonger: [ OK ]
>>>
>>> 2011-03-04 15:09:14,280 DEBUG stderr=
>>> 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list
>>> 2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off 1:off 2:off
>>> 3:off 4:off 5:off 6:off
>>>
>>> 2011-03-04 15:09:14,295 DEBUG stderr=
>>> 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on
>>> 2011-03-04 15:09:14,564 DEBUG stdout=
>>> 2011-03-04 15:09:14,564 DEBUG stderr=
>>> 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb
>>> -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N
>>> CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K
>>> host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ
>>> 2011-03-04 15:09:14,586 DEBUG stdout=Error
>>> org.fedorahosted.certmonger.duplicate: Certificate at same location is
>>> already used by request "20110303020539".
>>>
>>> 2011-03-04 15:09:14,586 DEBUG stderr=
>>> 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
>>> 2011-03-04 15:09:14,605 DEBUG stdout=
>>> 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be
>>> canonicalized when creating default server principal name
>>>
>>> 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate
>>> -g /etc/ipa/.dns_update.txt
>>> 2011-03-04 15:09:14,764 DEBUG stdout=
>>> 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may
>>> have expired.
>>>
>>> 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status
>>> 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running...
>>>
>>> 2011-03-04 15:09:14,827 DEBUG stderr=
>>> 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop
>>> 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [ OK ]
>>>
>>> 2011-03-04 15:09:14,856 DEBUG stderr=
>>> 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list
>>> 2011-03-04 15:09:14,858 DEBUG stdout=nscd 0:off 1:off 2:on
>>> 3:on 4:on 5:on 6:off
>>>
>>> 2011-03-04 15:09:14,858 DEBUG stderr=
>>> 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off
>>> 2011-03-04 15:09:14,958 DEBUG stdout=
>>> 2011-03-04 15:09:14,958 DEBUG stderr=
>>> 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd
>>> --enablesssdauth --update
>>> 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [ OK ]
>>> [ OK ]
>>>
>>> 2011-03-04 15:09:16,402 DEBUG stderr=
>>> 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin
>>> 2011-03-04 15:09:16,419 DEBUG stdout=
>>> 2011-03-04 15:09:16,419 DEBUG stderr=
>>> 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin
>>> 2011-03-04 15:09:17,424 DEBUG stdout=
>>> 2011-03-04 15:09:17,424 DEBUG stderr=
>>> 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin
>>> 2011-03-04 15:09:18,429 DEBUG stdout=
>>> 2011-03-04 15:09:18,429 DEBUG stderr=
>>> 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin
>>> 2011-03-04 15:09:19,432 DEBUG stdout=
>>> 2011-03-04 15:09:19,432 DEBUG stderr=
>>> 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin
>>> 2011-03-04 15:09:20,436 DEBUG stdout=
>>> 2011-03-04 15:09:20,436 DEBUG stderr=
>>> 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5
>>> --update --nostart
>>> 2011-03-04 15:09:22,303 DEBUG stdout=
>>> 2011-03-04 15:09:22,303 DEBUG stderr=
>>> 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file
>>> '/etc/ntp.conf'
>>> 2011-03-04 15:09:22,304 DEBUG Saving Index File to
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file
>>> '/etc/sysconfig/ntpd'
>>> 2011-03-04 15:09:22,305 DEBUG Saving Index File to
>>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>>> 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on
>>> 2011-03-04 15:09:22,398 DEBUG stdout=
>>> 2011-03-04 15:09:22,398 DEBUG stderr=
>>> 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart
>>> 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [ OK ]
>>> Starting ntpd: [ OK ]
>>>
>>> 2011-03-04 15:09:22,537 DEBUG stderr=
>>> ============
>>>
>>> regards
>>>
>>> On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote:
>>>> On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
>>>> Stephen Gallagher<sgallagh at redhat.com> wrote:
>>>>
>>>>>
>>>>> On Mar 8, 2011, at 5:45 PM, Steven Jones<Steven.Jones at vuw.ac.nz>
>>>>> wrote:
>>>>>
>>>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>>>> KVNO Principal
>>>>>> ----
>>>>>> --------------------------------------------------------------------------
>>>>>>
>>>>>> 8><---------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> Looks like you have no host key in the keytab. That's the root of the
>>>>> problem. Seems like IPA-client-install failed to populate it. Rob, do
>>>>> you have any insight here?
>>>> does /var/log/ipaclient-install.log show any error ?
>>>>
>>>> Simo.
>>>>
>>>> --
>>>> Simo Sorce * Red Hat, Inc * New York
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list