[Freeipa-users] Red Hat 5 client enrolment fails to Red Hat 6 Server
Rob Crittenden
rcritten at redhat.com
Tue Mar 11 13:00:55 UTC 2014
Patrick de Ruiter wrote:
> When I want to enroll en new machine the ipa-client-install process
> bails out with the error "Failed to retrieve encryption type DES cbc
> mode with CRC-32 (#1)" .
> The output below is the debug output:
>
> [root at apa01-tst ~]# ipa-client-install -d --domain=example.com
> <http://example.com> --mkhomedir -w otpass --realm=EXAMPLE.COM
> <http://EXAMPLE.COM> --ntp-server=ns01.example.com
> <http://ns01.example.com> --unattended
> root : DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': True, 'domain': 'example.com
> <http://example.com>', 'uninstall': False, 'force': False, 'sssd': True,
> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
> 'server': None, 'prompt_password': False, 'mkhomedir': True,
> 'dns_updates': False, 'preserve_sssd': False, 'debug': True,
> 'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM
> <http://EXAMPLE.COM>', 'unattended': True, 'ntp_server':
> 'ns01.example.com <http://ns01.example.com>', 'principal': None}
> root : DEBUG missing options might be asked for interactively
> later
>
> root : DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root : DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root : DEBUG [IPA Discovery]
> root : DEBUG Starting IPA discovery with domain=example.com
> <http://example.com>, servers=None,
> hostname=apa01-tst.chn1.oob.example.com
> <http://apa01-tst.chn1.oob.example.com>
> root : DEBUG Search for LDAP SRV record in example.com
> <http://example.com>
> root : DEBUG [ipadnssearchldap]
> root : DEBUG [ipadnssearchkrb]
> root : DEBUG [ipacheckldap]
> root : DEBUG Verifying that auth01.example.com
> <http://auth01.example.com> (realm EXAMPLE.COM <http://EXAMPLE.COM>) is
> an IPA server
> root : DEBUG Init ldap with: ldap://auth01.example.com:389
> <http://auth01.example.com:389>
> root : DEBUG Search LDAP server for IPA base DN
> root : DEBUG Check if naming context 'dc=pp,dc=ams' is for IPA
> root : DEBUG Naming context 'dc=pp,dc=ams' is a valid IPA context
> root : DEBUG Search for (objectClass=krbRealmContainer) in
> dc=pp,dc=ams(sub)
> root : DEBUG Found: [('cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees':
> ['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM <http://EXAMPLE.COM>'],
> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass':
> ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope':
> ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
> 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
> 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
> 'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife':
> ['86400'], 'krbMaxRenewableAge': ['604800']})]
> root : DEBUG Discovery result: Success;
> server=auth01.example.com <http://auth01.example.com>,
> domain=example.com <http://example.com>, kdc=auth01.example.com
> <http://auth01.example.com>, basedn=dc=pp,dc=ams
> root : DEBUG Validated servers: auth01.example.com
> <http://auth01.example.com>
> root : DEBUG will use domain: example.com <http://example.com>
>
> root : DEBUG [ipadnssearchldap(example.com <http://example.com>)]
> root : DEBUG DNS validated, enabling discovery
> root : DEBUG will use discovered server: auth01.example.com
> <http://auth01.example.com>
> Discovery was successful!
> root : DEBUG will use cli_realm: EXAMPLE.COM <http://EXAMPLE.COM>
>
> root : DEBUG will use cli_basedn: dc=pp,dc=ams
>
> Hostname: apa01-tst.chn1.oob.example.com
> <http://apa01-tst.chn1.oob.example.com>
> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> DNS Domain: example.com <http://example.com>
> IPA Server: auth01.example.com <http://auth01.example.com>
> BaseDN: dc=pp,dc=ams
>
>
> Synchronizing time with KDC...
> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
> auth01.example.com <http://auth01.example.com>
> root : DEBUG stdout=
> root : DEBUG stderr=
> root : DEBUG Writing Kerberos configuration to /tmp/tmpM19nuR:
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> EXAMPLE.COM <http://EXAMPLE.COM> = {
> kdc = auth01.example.com:88 <http://auth01.example.com:88>
> master_kdc = auth01.example.com:88 <http://auth01.example.com:88>
> admin_server = auth01.example.com:749 <http://auth01.example.com:749>
> default_domain = example.com <http://example.com>
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
> example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
>
>
> root : INFO OTP case, CA cert preexisted, use it
> root : DEBUG args=/usr/sbin/ipa-join -s auth01.example.com
> <http://auth01.example.com> -b dc=pp,dc=ams -d -w XXXXXXXX
> root : DEBUG stdout=
> root : DEBUG stderr=request done: ld 0x172d1d10 msgid 1
> request done: ld 0x172d1d10 msgid 2
> request done: ld 0x172d1d10 msgid 3
> Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=EXAMPLE.COM <http://EXAMPLE.COM>
>
> Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
> root : DEBUG args=/usr/kerberos/bin/kinit -k -t
> /etc/krb5.keytab host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM
> <mailto:apa01-tst.chn1.oob.example.com at EXAMPLE.COM>
> root : DEBUG stdout=
> root : DEBUG stderr=kinit(v5): Password incorrect while
> getting initial credentials
>
> Failed to obtain host TGT.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
I don't think this is related to the DES failure, it just means that the
KDC doesn't issue DES keys (a good thing).
What keys are in the keytab and why errors are logged in the KDC when
this kinit fails?
What is the rpm version of ipa-client?
rob
More information about the Freeipa-users
mailing list