[Freeipa-users] Unable to enrol servers with principal
Rob Crittenden
rcritten at redhat.com
Fri Feb 15 18:56:50 UTC 2013
Charlie Derwent wrote:
> Hi
> So there's nothing I can see in the access logs.
> However, I get the following message in the KDC log
> Feb 15 14:05:49 ipa.example.com <http://ipa.example.com/>
> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
> 13}) 192.168.0.1 <http://192.168.0.1/>: ISSUE: authtime 1360951549,
> etypes {rep=18 tkt=18 ses=18}, user at EXAMPLE.COM
> <mailto:user at EXAMPLE.COM> for krbtgt/EXAMPLE.COM at EXAMPLE.COM
> <mailto:krbtgt/EXAMPLE.COM at EXAMPLE.COM>
> and when I get a "kinit(v5): Cannot read password while getting initial
> credentials" error I see this error
> Feb 15 14:39:35 ipa.example.com <http://ipa.example.com/>
> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
> 13}) 192.168.0.1 <http://192.168.0.1/>: NEEDED_PREAUTH: user at EXAMPLE.COM
> <mailto:user at EXAMPLE.COM> for kadmin/changepw at EXAMPLE.COM
> <mailto:kadmin/changepw at EXAMPLE.COM>, Additional pre-authentication required
> Interestingly enough when I try a 5.6 server running
> ipa-client-2.0.14.el5_7.2 and xmlrpc-c-client-1.16.24-1206.1840.el5 it
> works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client
> back to their 5.6 versions on the 5.8 server makes no difference. I
> guess looking at times it has worked I should be getting a TGS_REQ
> message in logs immediately after the AS_REQ.
> Any ideas or anything else I can check?
> Thanks
> Charliez
Are you seeing this failure only on this one 5.8 box or on others as well?
The linker error is totally bizarre and I'm not sure why you'd get it
infrequently.
Does /var/log/ipaclient-install.log contain any additional information
when things fail?
rob
More information about the Freeipa-users
mailing list