[Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1)
Michael B. Trausch
mbt at naunetcorp.com
Sun Dec 23 20:32:33 UTC 2012
Whoops. Let's try this again, I failed to post it correctly the first time.
The Reader's Digest version: I set up a FreeIPA server on CentOS 6.3.
I then setup a FreeIPA client on another CentOS 6.3 system. So far, so
good. Then I attempted to setup a FreeIPA client on a F18 system, which
has FreeIPA 3.1.0, but that fails with the error "Failed to obtain host
TGT.", and then reverts the changes.
The log file shows everything succeeding up to this point:
--------------------------------------------------------------------------
2012-12-23T19:39:38Z DEBUG args=/usr/sbin/ipa-join -s
s0.ipa.naunetcorp.com -b dc=ipa,dc=naunetcorp,dc=com -h
aloe.ipa.naunetcorp.com
2012-12-23T19:39:40Z DEBUG Process finished, return code=0
2012-12-23T19:39:40Z DEBUG stdout=
2012-12-23T19:39:40Z DEBUG stderr=Certificate subject base is:
O=IPA.NAUNETCORP.COM
2012-12-23T19:39:40Z INFO Enrolled in IPA realm IPA.NAUNETCORP.COM
2012-12-23T19:39:40Z DEBUG Starting external process
2012-12-23T19:39:40Z DEBUG args=kdestroy
2012-12-23T19:39:40Z DEBUG Process finished, return code=0
2012-12-23T19:39:40Z DEBUG stdout=
2012-12-23T19:39:40Z DEBUG stderr=
2012-12-23T19:39:40Z DEBUG Starting external process
2012-12-23T19:39:40Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
host/aloe.ipa.naunetcorp.com at IPA.NAUNETCORP.COM
2012-12-23T19:39:40Z DEBUG Process finished, return code=1
2012-12-23T19:39:40Z DEBUG stdout=
2012-12-23T19:39:40Z DEBUG stderr=kinit: Generic preauthentication
failure while getting initial credentials
2012-12-23T19:39:40Z ERROR Failed to obtain host TGT.
2012-12-23T19:39:40Z ERROR Installation failed. Rolling back changes.
--------------------------------------------------------------------------
Every time I run the client script, the following appears in krb5kdc.log
on the server:
--------------------------------------------------------------------------
Dec 23 15:28:38 s0 krb5kdc[1208](info): AS_REQ (4 etypes {18 17 16 23})
2001:db8::1: NEEDED_PREAUTH:
host/aloe.ipa.naunetcorp.com at IPA.NAUNETCORP.COM for
krbtgt/IPA.NAUNETCORP.COM at IPA.NAUNETCORP.COM, Additional
pre-authentication required
--------------------------------------------------------------------------
(Yes the timestamps are different, because I just thought to check the
server log and so I ran the client command again; the clock skew between
the two systems is not measurable.)
The problem occurs every time I attempt to join the FreeIPA domain; I
have run it about 100 times now, just to see, as I found a verified RH
ticket against an older FreeIPA where a user was indicating that they
had this same type of trouble intermittently, but that was no use to me.
Anyone have an idea? Someplace else to look? Should I downgrade the
client, or upgrade the server? Am I doing something wrong?
Thanks a million!
Mike
More information about the Freeipa-users
mailing list