[Freeipa-users] unable to add service principle from F17

Dale Macartney dale at themacartneyclan.com
Tue Jun 26 10:25:53 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 25/06/12 22:37, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On 25/06/12 19:53, Rob Crittenden wrote:
>>> Dale Macartney wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hi all
>>>>
>>>> I have a RHEL 6.2 ipa domain and I am running through one of my known
>>>> working kickstarts for kerberised squid but instead of using RHEL i'm
>>>> setting it up on Fedora 17.
>>>>
>>>> I get the following error on the fedora system which has
>>>> freeipa-admintools installed
>>>>
>>>> [root at proxy02 ~]# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: admin at EXAMPLE.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>> [root at proxy02 ~]# ipa service-add HTTP/$(hostname)
>>>> ipa: ERROR: did not receive Kerberos credentials
>>>> [root at proxy02 ~]# ipa service-add HTTP/proxy02.example.com
>>>> ipa: ERROR: did not receive Kerberos credentials
>>>> [root at proxy02 ~]#
>>>>
>>>>
>>>>
>>>> Nothing appears in the logs apart from
>>>>
>>>> ==> /var/log/messages<==
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230
>>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
>>>>
>>>>
>>>> Any ideas?
>>>>
>>>> This doesn't block me from what I am trying to achieve as I can add the
>>>> service principle from the IPA server. Just thought I might ask the
>>>> question.
>>>
>>> What version of client and server?
>>>
>>> rob
>>
>> Server details
>>
>> [root at ds01 ~]# yum info ipa-server
>> Loaded plugins: product-id, security, subscription-manager
>> Updating certificate-based repositories.
>> Installed Packages
>> Name : ipa-server
>> Arch : x86_64
>> Version : 2.1.3
>> Release : 9.el6
>> Size : 3.2 M
>> Repo : installed
>> - From repo : Red Hat Enterprise Linux
>> Summary : The IPA authentication server
>> URL : http://www.freeipa.org/
>> License : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>> : user, virtual machines, groups, authentication
>> credentials), Policy
>> : (configuration settings, access control information) and
>> Audit (events,
>> : logs, analysis thereof). If you are installing an IPA
>> server you need
>> : to install this package (in other words, most people
>> should NOT install
>> : this package).
>>
>>
>> Client details
>>
>> [root at proxy02 ~]# yum info freeipa-client
>> Loaded plugins: langpacks, presto, refresh-packagekit
>> Installed Packages
>> Name : freeipa-client
>> Arch : x86_64
>> Version : 2.2.0
>> Release : 1.fc17
>> Size : 239 k
>> Repo : installed
>> - From repo : fedora
>> Summary : IPA authentication for use on clients
>> URL : http://www.freeipa.org/
>> Licence : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>> : user, virtual machines, groups, authentication
>> credentials), Policy
>> : (configuration settings, access control information) and
>> Audit (events,
>> : logs, analysis thereof). If your network uses IPA for
>> authentication,
>> : this package should be installed on every client machine.
>>
>> [root at proxy02 ~]# yum info freeipa-admintools
>> Loaded plugins: langpacks, presto, refresh-packagekit
>> Installed Packages
>> Name : freeipa-admintools
>> Arch : x86_64
>> Version : 2.2.0
>> Release : 1.fc17
>> Size : 43 k
>> Repo : installed
>> - From repo : fedora
>> Summary : IPA administrative tools
>> URL : http://www.freeipa.org/
>> Licence : GPLv3+
>> Description : IPA is an integrated solution to provide centrally managed
>> Identity (machine,
>> : user, virtual machines, groups, authentication
>> credentials), Policy
>> : (configuration settings, access control information) and
>> Audit (events,
>> : logs, analysis thereof). This package provides
>> command-line tools for
>> : IPA administrators.
>>
>> [root at proxy02 ~]#
>
> Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy
so sending the TGT is no longer required as it was pre 2.2.
>
> # ipa --delegate service-add HTTP/$(hostname)
>
> rob
>
ah.. good to know. thanks for the info.

it does get past the tgt aspect, now its just a version conflict. may or
may not be a work around for that.

[root at proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com
ipa: ERROR: 2.34 client incompatible with 2.13 server at
u'https://ds01.example.com/ipa/xml'



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6Y4vAAoJEAJsWS61tB+qwf8P/A2wIGjoUcrMIEdXxdsFv0AL
kSyd/4X7f3wKwzfPWwsCNs2vQT+LgIV/alqbCUSPAXgfJVvMmJa8yQ7WRXQUdNoZ
agTzZN5DeGet3AYA9bA3fXE/YNy4qteNg9KiNJ2QDXGJ3cP9YCvjzWyrDxgEd7bS
IAWW7FFaeSpfB1w+VC+rLTmfQjgS+LdAUu2tR8kobZwsdIYedABV3px9wga/rOWo
V3gf/RR2b/3eRxZulKSVh+djOiiinjSP5uc0tO5uZuxrb9hC/swKMGq4eJu/fhQz
BXqeIx/IcjxutHx5p68vS7Z4bX9D3uxoVAI1nQX72FZsvG+PYuNtAvY6z3c29wfx
TWa6qOoqX5MztSs1diVqB1pjAKOL453oeLIvU0ir49Uh5hRQ+9zH6dCb2i3ywS1J
//Rbe6fXSYX+W2rU4jtpCeyPaP6TgBJsLcoZYbAVk55grR3RWIi3h/DF6WCToFGC
nNaJgQ4pT4C8YNItJxdQ1eHEDWWuKR6wF/WF4wR4iO/TK5KaGPE0i7tyr0Pcy9/1
Su3nzU/C79lyP0x/8ijSUO+11VFEgn5ULlY8FPIxZJnLY2amhVyA1zY5eyaVUlnF
RBHD+50lr5LQlGCWBxUSzjTxFJzC6MpnscCHtOz9XG2P2d1x0qCiPFt0eeNGknTY
4J+0tISKb7cc1JMDzEOl
=I6M5
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120626/b19b34f5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120626/b19b34f5/attachment.sig>

More information about the Freeipa-users mailing list