[Freeipa-users] Problem with automount - "Additional pre-authentication required"
Andrew Wasielewski
andrew at wasielewski.co.uk
Wed Jun 26 22:01:56 UTC 2013
I am pretty new to FreeIPA. I am setting up a server to manage a small home network.
I am unable to get automount to work on the client. When I start autofs, I see this in syslog:-
[root at localhost ~]# automount -f -d
Starting automounter version 5.0.5-31.fc14, master map auto.master
using kernel protocol version 5.01
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_read_master: lookup(file): read entry /misc
lookup_read_master: lookup(file): read entry /net
lookup_read_master: lookup(file): read entry +auto.master
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://server.wasielewski.co.uk
do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI
sasl_do_kinit: initializing kerberos ticket: client principal host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
sasl_do_kinit: calling krb5_parse_name on client principal host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
sasl_do_kinit: Using tgs name krbtgt/WASIELEWSKI.CO.UK at WASIELEWSKI.CO.UK
sasl_do_kinit: krb5_get_init_creds_keytab failed with error -1765328203
do_bind: lookup(ldap): autofs_sasl_bind returned -1
lookup(ldap): couldn't connect to server ldap://server.wasielewski.co.uk
do_reconnect: lookup(ldap): failed to find available server
lookup(file): failed to read included master map auto.master
On the server I see the following in /var/log/krb5kdc.log (client IP addr redacted):-
Jun 26 22:43:29 server.wasielewski.co.uk krb5kdc[10514](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: NEEDED_PREAUTH: host/server.wasielewski.co.uk at WASIELEWSKI.CO.UK for krbtgt/WASIELEWSKI.CO.UK at WASIELEWSKI.CO.UK, Additional pre-authentication required
Jun 26 22:43:29 server.wasielewski.co.uk krb5kdc[10514](info): closing down fd 5
On the client the ticket cache is:-
[root at localhost ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at WASIELEWSKI.CO.UK
Valid starting Expires Service principal
06/26/13 20:48:45 06/27/13 20:48:41 krbtgt/WASIELEWSKI.CO.UK at WASIELEWSKI.CO.UK
but on the server it is:
[root at server log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at WASIELEWSKI.CO.UK
Valid starting Expires Service principal
06/26/13 00:04:51 06/27/13 00:04:47 krbtgt/WASIELEWSKI.CO.UK at WASIELEWSKI.CO.UK
06/26/13 00:04:54 06/27/13 00:04:47 ldap/server.wasielewski.co.uk at WASIELEWSKI.CO.UK
Should I also have a ticket for LDAP on the client?
Server is running FreeIPA 2.2.2 on FC17. Client is on FC14. I had to download the freeipa-client package (and others) from Koji as they were no longer available for FC14 in the usual repos. I ran ipa-client-install, but in the end had to apply most of the config manually. However everything else (IPA domain user login, IPA web UI etc.) that I would expect runs OK on the client. It is only automount that is giving problems.
I am sure I have got something very simple wrong...hopefully one of the masters can put me right.
Regards,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130626/5012c70a/attachment.htm>
More information about the Freeipa-users
mailing list