[Freeipa-users] Unable to enrol servers with principal

Charlie Derwent shelltoesuperstar at gmail.com
Sat Feb 16 13:22:19 UTC 2013 

On Fri, Feb 15, 2013 at 6:56 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Charlie Derwent wrote:
>
>> Hi
>> So there's nothing I can see in the access logs.
>> However, I get the following message in the KDC log
>> Feb 15 14:05:49 ipa.example.com <http://ipa.example.com/>
>>
>> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
>> 13}) 192.168.0.1 <http://192.168.0.1/>: ISSUE: authtime 1360951549,
>>
>> etypes {rep=18 tkt=18 ses=18}, user at EXAMPLE.COM
>> <mailto:user at EXAMPLE.COM> for krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> <mailto:krbtgt/EXAMPLE.COM@**EXAMPLE.COM <EXAMPLE.COM at EXAMPLE.COM>>
>>
>> and when I get a "kinit(v5): Cannot read password while getting initial
>> credentials" error I see this error
>> Feb 15 14:39:35 ipa.example.com <http://ipa.example.com/>
>>
>> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
>> 13}) 192.168.0.1 <http://192.168.0.1/>: NEEDED_PREAUTH: user at EXAMPLE.COM
>> <mailto:user at EXAMPLE.COM> for kadmin/changepw at EXAMPLE.COM
>> <mailto:kadmin/changepw@**EXAMPLE.COM <changepw at EXAMPLE.COM>>,
>> Additional pre-authentication required
>>
>> Interestingly enough when I try a 5.6 server running
>> ipa-client-2.0.14.el5_7.2 and  xmlrpc-c-client-1.16.24-1206.**1840.el5 it
>> works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client
>> back to their 5.6 versions on the 5.8 server makes no difference. I
>> guess looking at times it has worked I should be getting a TGS_REQ
>> message in logs immediately after the AS_REQ.
>> Any ideas or anything else I can check?
>> Thanks
>> Charliez
>>
>
> Are you seeing this failure only on this one 5.8 box or on others as well?
>
> The linker error is totally bizarre and I'm not sure why you'd get it
> infrequently.
>
> Does /var/log/ipaclient-install.log contain any additional information
> when things fail?
>
> rob
>
>
On a whole host of 5.8 boxes. I'm 99.9% sure the ipaclient-install.log
didn't throw up anything I hadn't seen running the installer in debug mode
and then mentioned in the original e-mail but I'll double check that when
I'm in the office on Monday.

Dmitri, I'll triple check the date/timezone settings. I know the times
match using the date command, but I haven't checked inside the localtime
and clock files, all our servers should be set to UTC someone is getting
fired out of a cannon if I find one that isn't. It's worth mentioning that
we don't use the ntp function of the IPA server as we're running them
inside VMs. All servers get there time from elsewhere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130216/717d8f52/attachment.htm>

More information about the Freeipa-users mailing list