[Freeipa-users] Red Hat 5 client enrolment fails to Red Hat 6 Server

Patrick de Ruiter p.a.p.de.ruiter at gmail.com
Tue Mar 11 09:32:45 UTC 2014 

When I want to enroll en new machine the ipa-client-install process bails
out with the error "Failed to retrieve encryption type DES cbc mode with
CRC-32 (#1)" .
The output below is the debug output:

[root at apa01-tst ~]# ipa-client-install -d --domain=example.com --mkhomedir
-w otpass --realm=EXAMPLE.COM  --ntp-server=ns01.example.com   --unattended

root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'example.com', 'uninstall': False,
'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname':
None, 'permit': False, 'server': None, 'prompt_password': False,
'mkhomedir': True, 'dns_updates': False, 'preserve_sssd': False, 'debug':
True, 'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM',
'unattended': True, 'ntp_server': 'ns01.example.com', 'principal': None}
root        : DEBUG    missing options might be asked for interactively
later

root        : DEBUG    Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [IPA Discovery]
root        : DEBUG    Starting IPA discovery with domain=example.com,
servers=None, hostname=apa01-tst.chn1.oob.example.com
root        : DEBUG    Search for LDAP SRV record in example.com
root        : DEBUG    [ipadnssearchldap]
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Verifying that auth01.example.com (realm EXAMPLE.COM)
is an IPA server
root        : DEBUG    Init ldap with: ldap://auth01.example.com:389
root        : DEBUG    Search LDAP server for IPA base DN
root        : DEBUG    Check if naming context 'dc=pp,dc=ams' is for IPA
root        : DEBUG    Naming context 'dc=pp,dc=ams' is a valid IPA context
root        : DEBUG    Search for (objectClass=krbRealmContainer) in
dc=pp,dc=ams(sub)
root        : DEBUG    Found: [('cn=EXAMPLE.COM,cn=kerberos,dc=pp,dc=ams',
{'krbSubTrees': ['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM'],
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top',
'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special'],
'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
root        : DEBUG    Discovery result: Success; server=auth01.example.com,
domain=example.com, kdc=auth01.example.com, basedn=dc=pp,dc=ams
root        : DEBUG    Validated servers: auth01.example.com
root        : DEBUG    will use domain: example.com

root        : DEBUG    [ipadnssearchldap(example.com)]
root        : DEBUG    DNS validated, enabling discovery
root        : DEBUG    will use discovered server: auth01.example.com
Discovery was successful!
root        : DEBUG    will use cli_realm: EXAMPLE.COM

root        : DEBUG    will use cli_basedn: dc=pp,dc=ams

Hostname: apa01-tst.chn1.oob.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: auth01.example.com
BaseDN: dc=pp,dc=ams


Synchronizing time with KDC...
root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
auth01.example.com
root        : DEBUG    stdout=
root        : DEBUG    stderr=
root        : DEBUG    Writing Kerberos configuration to /tmp/tmpM19nuR:
#File modified by ipa-client-install

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
    kdc = auth01.example.com:88
    master_kdc = auth01.example.com:88
    admin_server = auth01.example.com:749
    default_domain = example.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM


root        : INFO     OTP case, CA cert preexisted, use it
root        : DEBUG    args=/usr/sbin/ipa-join -s auth01.example.com -b
dc=pp,dc=ams -d -w XXXXXXXX
root        : DEBUG    stdout=
root        : DEBUG    stderr=request done: ld 0x172d1d10 msgid 1
request done: ld 0x172d1d10 msgid 2
request done: ld 0x172d1d10 msgid 3
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=EXAMPLE.COM

Enrolled in IPA realm EXAMPLE.COM
root        : DEBUG    args=/usr/kerberos/bin/kinit -k -t /etc/krb5.keytab
host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM
root        : DEBUG    stdout=
root        : DEBUG    stderr=kinit(v5): Password incorrect while getting
initial credentials

Failed to obtain host TGT.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Regards,
Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140311/ed616328/attachment.htm>

More information about the Freeipa-users mailing list