[Freeipa-users] Red Hat 5 client enrolment fails to Red Hat 6 Server

Rob Crittenden rcritten at redhat.com
Tue Mar 11 13:00:55 UTC 2014 

Patrick de Ruiter wrote:
> When I want to enroll en new machine the ipa-client-install process
> bails out with the error "Failed to retrieve encryption type DES cbc
> mode with CRC-32 (#1)" .
> The output below is the debug output:
>
> [root at apa01-tst ~]# ipa-client-install -d --domain=example.com
> <http://example.com> --mkhomedir -w otpass --realm=EXAMPLE.COM
> <http://EXAMPLE.COM>  --ntp-server=ns01.example.com
> <http://ns01.example.com>   --unattended
> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
> options: {'conf_ntp': True, 'domain': 'example.com
> <http://example.com>', 'uninstall': False, 'force': False, 'sssd': True,
> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
> 'server': None, 'prompt_password': False, 'mkhomedir': True,
> 'dns_updates': False, 'preserve_sssd': False, 'debug': True,
> 'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM
> <http://EXAMPLE.COM>', 'unattended': True, 'ntp_server':
> 'ns01.example.com <http://ns01.example.com>', 'principal': None}
> root        : DEBUG    missing options might be asked for interactively
> later
>
> root        : DEBUG    Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> root        : DEBUG    Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> root        : DEBUG    [IPA Discovery]
> root        : DEBUG    Starting IPA discovery with domain=example.com
> <http://example.com>, servers=None,
> hostname=apa01-tst.chn1.oob.example.com
> <http://apa01-tst.chn1.oob.example.com>
> root        : DEBUG    Search for LDAP SRV record in example.com
> <http://example.com>
> root        : DEBUG    [ipadnssearchldap]
> root        : DEBUG    [ipadnssearchkrb]
> root        : DEBUG    [ipacheckldap]
> root        : DEBUG    Verifying that auth01.example.com
> <http://auth01.example.com> (realm EXAMPLE.COM <http://EXAMPLE.COM>) is
> an IPA server
> root        : DEBUG    Init ldap with: ldap://auth01.example.com:389
> <http://auth01.example.com:389>
> root        : DEBUG    Search LDAP server for IPA base DN
> root        : DEBUG    Check if naming context 'dc=pp,dc=ams' is for IPA
> root        : DEBUG    Naming context 'dc=pp,dc=ams' is a valid IPA context
> root        : DEBUG    Search for (objectClass=krbRealmContainer) in
> dc=pp,dc=ams(sub)
> root        : DEBUG    Found: [('cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees':
> ['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM <http://EXAMPLE.COM>'],
> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass':
> ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope':
> ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
> 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
> 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
> 'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife':
> ['86400'], 'krbMaxRenewableAge': ['604800']})]
> root        : DEBUG    Discovery result: Success;
> server=auth01.example.com <http://auth01.example.com>,
> domain=example.com <http://example.com>, kdc=auth01.example.com
> <http://auth01.example.com>, basedn=dc=pp,dc=ams
> root        : DEBUG    Validated servers: auth01.example.com
> <http://auth01.example.com>
> root        : DEBUG    will use domain: example.com <http://example.com>
>
> root        : DEBUG    [ipadnssearchldap(example.com <http://example.com>)]
> root        : DEBUG    DNS validated, enabling discovery
> root        : DEBUG    will use discovered server: auth01.example.com
> <http://auth01.example.com>
> Discovery was successful!
> root        : DEBUG    will use cli_realm: EXAMPLE.COM <http://EXAMPLE.COM>
>
> root        : DEBUG    will use cli_basedn: dc=pp,dc=ams
>
> Hostname: apa01-tst.chn1.oob.example.com
> <http://apa01-tst.chn1.oob.example.com>
> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> DNS Domain: example.com <http://example.com>
> IPA Server: auth01.example.com <http://auth01.example.com>
> BaseDN: dc=pp,dc=ams
>
>
> Synchronizing time with KDC...
> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
> auth01.example.com <http://auth01.example.com>
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=
> root        : DEBUG    Writing Kerberos configuration to /tmp/tmpM19nuR:
> #File modified by ipa-client-install
>
> [libdefaults]
>    default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
>    dns_lookup_realm = false
>    dns_lookup_kdc = false
>    rdns = false
>    ticket_lifetime = 24h
>    forwardable = yes
>
> [realms]
> EXAMPLE.COM <http://EXAMPLE.COM> = {
>      kdc = auth01.example.com:88 <http://auth01.example.com:88>
>      master_kdc = auth01.example.com:88 <http://auth01.example.com:88>
>      admin_server = auth01.example.com:749 <http://auth01.example.com:749>
>      default_domain = example.com <http://example.com>
>      pkinit_anchors = FILE:/etc/ipa/ca.crt
>    }
>
> [domain_realm]
>    .example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
> example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
>
>
> root        : INFO     OTP case, CA cert preexisted, use it
> root        : DEBUG    args=/usr/sbin/ipa-join -s auth01.example.com
> <http://auth01.example.com> -b dc=pp,dc=ams -d -w XXXXXXXX
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=request done: ld 0x172d1d10 msgid 1
> request done: ld 0x172d1d10 msgid 2
> request done: ld 0x172d1d10 msgid 3
> Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=EXAMPLE.COM <http://EXAMPLE.COM>
>
> Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
> root        : DEBUG    args=/usr/kerberos/bin/kinit -k -t
> /etc/krb5.keytab host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM
> <mailto:apa01-tst.chn1.oob.example.com at EXAMPLE.COM>
> root        : DEBUG    stdout=
> root        : DEBUG    stderr=kinit(v5): Password incorrect while
> getting initial credentials
>
> Failed to obtain host TGT.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.

I don't think this is related to the DES failure, it just means that the 
KDC doesn't issue DES keys (a good thing).

What keys are in the keytab and why errors are logged in the KDC when 
this kinit fails?

What is the rpm version of ipa-client?

rob

More information about the Freeipa-users mailing list