[Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012
Dale Macartney
dale at themacartneyclan.com
Fri Mar 15 12:59:59 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/15/2013 10:06 AM, Dale Macartney wrote:
>
>
> On 03/15/2013 10:03 AM, Dale Macartney wrote:
>
>
> > On 03/15/2013 09:52 AM, Sumit Bose wrote:
> > > On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote:
> > >>
> > > Morning all
>
> > > I have setup the domain trust set up and have errors when trying
to map
> > > groups from AD to IPA
>
> > > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
>
> > > When adding groups, I get the following.
>
> > > [root at ds01 ~]# ipa group-add --desc='Active Directory Domain Admins
> > > external map' domain_admins_map --external
> > > [root at ds01 ~]# ipa group-add-member domain_admins_map --external
> > > 'NT\Domain Admins'
> > > [member user]:
> > > [member group]:
> > > ipa: ERROR: cannot connect to
> > > u'https://ds01.example.com/ipa/session/xml': Internal Server Error
> > > [root at ds01 ~]#
>
> > > When the above error occurs I see the following in
/var/log/httpd/error_log
>
> > > ==> /var/log/httpd/error_log <==
> > > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache:
> > > ccache_name (FILE:/var/run/ipa_memcached/krbcc_5374) != KRB5CCNAME
> > > environment variable (/var/run/ipa_memcached/krbcc_TDN)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi
> > > (pid=5374): Exception occurred processing WSGI script
> > > '/usr/share/ipa/wsgi.py'.
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most
> > > recent call last):
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/share/ipa/wsgi.py", line 49, in application
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > api.Backend.wsgi_dispatch(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
248, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > self.route(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
260, in
> > > route
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > app(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
1193, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > > super(xmlserver_session, self).__call__(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
709, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > > super(xmlserver, self).__call__(environ, start_response)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
375, in
> > > __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response =
> > > self.wsgi_execute(environ)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
334, in
> > > wsgi_execute
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> > > self.Command[name](*args, **options)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435,
in __call__
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret =
> > > self.run(*args, **options)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747,
in run
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > self.execute(*args, **options)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line
> > > 1590, in execute
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line
387, in
> > > post_callback
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid =
> > > domain_validator.get_sid_trusted_domain_object(sid)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in
> > > get_sid_trusted_domain_object
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> > > self.resolve_against_gc(domain, components['name'])
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in
> > > resolve_against_gc
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry =
> > > self.__resolve_against_gc(info, host, port, name)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in
> > > __resolve_against_gc
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11]
> > > conn.sasl_interactive_bind_s(None, sasl_auth)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 566,
> > > in sasl_interactive_bind_s
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > > self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls,
> > > sasl_flags)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in
> > > sasl_interactive_bind_s
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return
> > >
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File
> > > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
> > > _ldap_call
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result =
> > > func(*args,**kwargs)
> > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR:
> > > {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> > > failure. Minor code may provide more information (Server
> > > ldap/dc01.nt.example.com at EXAMPLE.COM not found in Kerberos database)',
> > > 'desc': 'Local error'}
>
> > > > Lokks like your AD domain is DNS-wise a subdomain of the FreeIPA
domain
> > > > example.dom. Please try to add something like
>
> > > > .nt.example.com = NT.EXAMPLE.COM
> > > > nt.example.com = NT.EXAMPLE.COM
>
> > > > to the [domain_realm] section in /etc/krb5.conf. SSSD should have
> > > > created an include file with this information, but due to some
errors it
> > > > is not read in the 6.4 version.
>
> > > > HTH
>
> > > > bye,
> > > > Sumit
> > No joy unfortunately mate. I tried adding it to both the ipa server
and the member server but still no change. logs are still appearing as
before.
>
> > Dale
> Looks like I spoke to soon. I tried again about 10 seconds later and
now it works.
>
> Thanks for the suggestion :-)
>
>
>
> > > Just to clarify, iptables has been flushed and selinux is currently
> > > permissive. Running latest patches from RHN as of 2013/03/14
>
> > > Any thoughts?
>
> > > Dale
>
> > >>
> > >> _______________________________________________
> > >> Freeipa-users mailing list
> > >> Freeipa-users at redhat.com
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
Now for the next round of logs
I have the environment set up as follows
IPA Domain: example.com
IPA server: ds01.example.com/10.0.1.11
Squid Proxy: proxy.example.com (set up according to
https://www.dalemacartney.com/2012/07/05/squid-proxy-integration-with-freeipa-authenticated-users-with-kerberos-single-sign-on/)
Postfix Server: mail.example.com (set up according to
https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/)
AD Domain: nt.example.com
Domain Controller: ds01.example.com/10.0.2.11
Workstation: workstation01.nt.example.com (Win7)
RHEL member server: member01.nt.example.com (set up according to
https://www.dalemacartney.com/2012/07/06/how-to-quickly-and-easily-add-a-red-hat-enterprise-linux-6-system-to-microsoft-active-directory/)
The trust is setup. The domain admins group is mapped successfully to IPA...
HBAC rules of IPA are as follows
[root at ds01 ~]# ipa hbacrule-find
- -------------------
1 HBAC rule matched
- -------------------
Rule name: allow_all
User category: all
Host category: all
Source host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
- ----------------------------
Number of entries returned 1
- ----------------------------
[root at ds01 ~]#
When I ssh from member01.nt.example.com (logged in as the domain
administrator), the below logs appear in the /var/log/krb5kdc.log
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776,
administrator at NT.EXAMPLE.COM for host/proxy.example.com at EXAMPLE.COM,
Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776,
administrator at NT.EXAMPLE.COM for host/proxy.example.com at EXAMPLE.COM,
Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776,
administrator at NT.EXAMPLE.COM for host/proxy.example.com at EXAMPLE.COM,
Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776,
administrator at NT.EXAMPLE.COM for host/proxy.example.com at EXAMPLE.COM,
Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776,
administrator at NT.EXAMPLE.COM for host/proxy.example.com at EXAMPLE.COM,
Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776,
administrator at NT.EXAMPLE.COM for host/proxy.example.com at EXAMPLE.COM,
Invalid argument
Domain administrators ticket lis is as follows
[administrator at member01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_10000500_dPQPno
Default principal: administrator at NT.EXAMPLE.COM
Valid starting Expires Service principal
03/15/13 12:49:34 03/15/13 22:49:36 krbtgt/NT.EXAMPLE.COM at NT.EXAMPLE.COM
renew until 03/22/13 12:49:34
03/15/13 12:49:55 03/15/13 22:49:36 krbtgt/EXAMPLE.COM at NT.EXAMPLE.COM
renew until 03/22/13 12:49:34
[administrator at member01 ~]$
and ssh command returns the below when running in verbose
[administrator at member01 ~]$ ssh -l administrator at nt.example.com
proxy.example.com -vvv
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to proxy.example.com [10.0.1.22] port 22.
debug1: Connection established.
debug1: identity file /home/administrator/.ssh/identity type -1
debug1: identity file /home/administrator/.ssh/id_rsa type -1
debug1: identity file /home/administrator/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 141/256
debug2: bits set: 525/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename
/home/administrator/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename
/home/administrator/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'proxy.example.com' is known and matches the RSA host key.
debug1: Found key in /home/administrator/.ssh/known_hosts:1
debug2: bits set: 531/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/administrator/.ssh/identity ((nil))
debug2: key: /home/administrator/.ssh/id_rsa ((nil))
debug2: key: /home/administrator/.ssh/id_dsa ((nil))
debug3: Wrote 96 bytes for a total of 1141
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.0.1.22.
debug1: Unspecified GSS failure. Minor code may provide more information
KDC returned error string: HANDLE_AUTHDATA
debug1: Unspecified GSS failure. Minor code may provide more information
KDC returned error string: HANDLE_AUTHDATA
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 112 bytes for a total of 1253
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/administrator/.ssh/identity
debug3: no such identity: /home/administrator/.ssh/identity
debug1: Trying private key: /home/administrator/.ssh/id_rsa
debug3: no such identity: /home/administrator/.ssh/id_rsa
debug1: Trying private key: /home/administrator/.ssh/id_dsa
debug3: no such identity: /home/administrator/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
administrator at nt.example.com@proxy.example.com's password:
Any ideas what KDC returned error string: HANDLE_AUTHDATA means?
Dale
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRQxtIAAoJEAJsWS61tB+qFBQP/3oUydnPGv1mS18yEsebruhR
LG/Pwzsx9N5hIu/0amsToI6qrhSvwJbRp5ER4f+emxx9Jg1dBl5h4MxBkXIx33CE
uoNifk8b80G3aFcS+j255oNPBLAjisC87fdsfPz0g72wLtmSSC5DuTwGSzF98QS1
H2y4MOytLvDP0HKJ+PNtdXNf6t+s5IRgPJnhzjvkS43TjFO1Z0kNqBgwWa7L7588
7xWd3SFZga3FUmTjrovhm5NKjg5Y32S56NzjC3FOWw06sUDRvISCEb0eZk+cbSWw
EE2/icNepyharbNOSCSmveFa+ostSwIA0pkr5Kie4xsRipfaq9J+ZCcBFb363VB+
oa2/W9G5eBLGDr3JXHSg2vvlHdzMjazrOQN3XM58Aehym8hyEXdmanKPlq1Rz3zx
/ncpF4EM0h9Y/gG1yBvhPFDlsHFXnFQZh2EhI+G30gVrzSxAYjlN3ZEiiF33afcQ
9yBM1LJTX77zf06b4/IXMuhFJclx5kpqf1h3QgMKGnC+2Gawd8jU90JdawOaFykJ
u4CWk+br8uVjS4KPXV0XIAGIM5D/yF0zWFydNyvTlna4cZ13LUO8biaQjatg028E
pk6GPFNlxPSiBFlx0zLofQFGa4IxPx9rDW2VRVrgSs+n3G8OyO+t0wlM0o2TJp/X
/bj0xc33I2KTYUtUbY4L
=UFDR
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130315/fe193367/attachment.htm>
More information about the Freeipa-users
mailing list