[Freeipa-users] Red Hat 5 client enrolment fails to Red Hat 6 Server

Tue Mar 11 15:01:14 UTC 2014

Hi Rob

Ipa client version is :ipa-client-2.1.3-7.el5

[root at apa01-tst ~]# klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp.ams at PP.AMS (AES-256 CTS
mode with 96-bit SHA-1 HMAC)
   2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp.ams at PP.AMS (AES-128 CTS
mode with 96-bit SHA-1 HMAC)
   2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp.ams at PP.AMS (Triple DES
cbc mode with HMAC/sha1)
   2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp.ams at PP.AMS (ArcFour with
HMAC/md5)

this is what shows up in the logfile krb5kdc.log on the KDC

Mar 11 15:55:02 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/
apa01-tst.chn1.oob.example.com at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549702, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
krbtgt/EXAMPLE.COM at EXAMPLE.COM
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549702, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
HTTP/auth01.example.com at EXAMPLE.COM
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes
{18}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18
ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes
{18}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18
ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.132.21: ISSUE: authtime 1394549702, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
ldap/auth01.example.com at EXAMPLE.COM
Mar 11 15:55:03 auth01.example.com krb5kdc[16847](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/
apa01-tst.chn1.oob.example.com at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549703, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
krbtgt/EXAMPLE.COM at EXAMPLE.COM
Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549703, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
HTTP/auth01.example.com at EXAMPLE.COM
Mar 11 15:55:03 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes
{18}) 10.63.130.33: ISSUE: authtime 1394549703, etypes {rep=18 tkt=18
ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM
Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.132.21: ISSUE: authtime 1394549703, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
ldap/auth01.example.com at EXAMPLE.COM
Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/
apa01-tst.chn1.oob.example.com at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549704, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
krbtgt/EXAMPLE.COM at EXAMPLE.COM
Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549704, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM for
ldap/auth01.example.com at EXAMPLE.COM

Cheers,
Patrick

On Tue, Mar 11, 2014 at 2:00 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Patrick de Ruiter wrote:
>
>> When I want to enroll en new machine the ipa-client-install process
>> bails out with the error "Failed to retrieve encryption type DES cbc
>> mode with CRC-32 (#1)" .
>> The output below is the debug output:
>>
>> [root at apa01-tst ~]# ipa-client-install -d --domain=example.com
>> <http://example.com> --mkhomedir -w otpass --realm=EXAMPLE.COM
>> <http://EXAMPLE.COM>  --ntp-server=ns01.example.com
>> <http://ns01.example.com>   --unattended
>>
>> root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
>> options: {'conf_ntp': True, 'domain': 'example.com
>> <http://example.com>', 'uninstall': False, 'force': False, 'sssd': True,
>>
>> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
>> 'server': None, 'prompt_password': False, 'mkhomedir': True,
>> 'dns_updates': False, 'preserve_sssd': False, 'debug': True,
>> 'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM
>> <http://EXAMPLE.COM>', 'unattended': True, 'ntp_server':
>> 'ns01.example.com <http://ns01.example.com>', 'principal': None}
>>
>> root        : DEBUG    missing options might be asked for interactively
>> later
>>
>> root        : DEBUG    Loading Index file from
>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> root        : DEBUG    Loading StateFile from
>> '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> root        : DEBUG    [IPA Discovery]
>> root        : DEBUG    Starting IPA discovery with domain=example.com
>> <http://example.com>, servers=None,
>> hostname=apa01-tst.chn1.oob.example.com
>> <http://apa01-tst.chn1.oob.example.com>
>>
>> root        : DEBUG    Search for LDAP SRV record in example.com
>> <http://example.com>
>>
>> root        : DEBUG    [ipadnssearchldap]
>> root        : DEBUG    [ipadnssearchkrb]
>> root        : DEBUG    [ipacheckldap]
>> root        : DEBUG    Verifying that auth01.example.com
>> <http://auth01.example.com> (realm EXAMPLE.COM <http://EXAMPLE.COM>) is
>>
>> an IPA server
>> root        : DEBUG    Init ldap with: ldap://auth01.example.com:389
>> <http://auth01.example.com:389>
>>
>> root        : DEBUG    Search LDAP server for IPA base DN
>> root        : DEBUG    Check if naming context 'dc=pp,dc=ams' is for IPA
>> root        : DEBUG    Naming context 'dc=pp,dc=ams' is a valid IPA
>> context
>> root        : DEBUG    Search for (objectClass=krbRealmContainer) in
>> dc=pp,dc=ams(sub)
>> root        : DEBUG    Found: [('cn=EXAMPLE.COM
>> <http://EXAMPLE.COM>,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees':
>> ['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM <http://EXAMPLE.COM>'],
>>
>> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
>> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass':
>> ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope':
>> ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
>> 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
>> 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
>> 'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife':
>> ['86400'], 'krbMaxRenewableAge': ['604800']})]
>> root        : DEBUG    Discovery result: Success;
>> server=auth01.example.com <http://auth01.example.com>,
>> domain=example.com <http://example.com>, kdc=auth01.example.com
>> <http://auth01.example.com>, basedn=dc=pp,dc=ams
>>
>> root        : DEBUG    Validated servers: auth01.example.com
>> <http://auth01.example.com>
>> root        : DEBUG    will use domain: example.com <http://example.com>
>>
>> root        : DEBUG    [ipadnssearchldap(example.com <http://example.com
>> >)]
>>
>> root        : DEBUG    DNS validated, enabling discovery
>> root        : DEBUG    will use discovered server: auth01.example.com
>> <http://auth01.example.com>
>> Discovery was successful!
>> root        : DEBUG    will use cli_realm: EXAMPLE.COM <
>> http://EXAMPLE.COM>
>>
>>
>> root        : DEBUG    will use cli_basedn: dc=pp,dc=ams
>>
>> Hostname: apa01-tst.chn1.oob.example.com
>> <http://apa01-tst.chn1.oob.example.com>
>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> DNS Domain: example.com <http://example.com>
>> IPA Server: auth01.example.com <http://auth01.example.com>
>>
>> BaseDN: dc=pp,dc=ams
>>
>>
>> Synchronizing time with KDC...
>> root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
>> auth01.example.com <http://auth01.example.com>
>>
>> root        : DEBUG    stdout=
>> root        : DEBUG    stderr=
>> root        : DEBUG    Writing Kerberos configuration to /tmp/tmpM19nuR:
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>>    default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
>>
>>    dns_lookup_realm = false
>>    dns_lookup_kdc = false
>>    rdns = false
>>    ticket_lifetime = 24h
>>    forwardable = yes
>>
>> [realms]
>> EXAMPLE.COM <http://EXAMPLE.COM> = {
>>      kdc = auth01.example.com:88 <http://auth01.example.com:88>
>>      master_kdc = auth01.example.com:88 <http://auth01.example.com:88>
>>      admin_server = auth01.example.com:749 <http://auth01.example.com:749
>> >
>>      default_domain = example.com <http://example.com>
>>
>>      pkinit_anchors = FILE:/etc/ipa/ca.crt
>>    }
>>
>> [domain_realm]
>>    .example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
>> example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
>>
>>
>>
>> root        : INFO     OTP case, CA cert preexisted, use it
>> root        : DEBUG    args=/usr/sbin/ipa-join -s auth01.example.com
>> <http://auth01.example.com> -b dc=pp,dc=ams -d -w XXXXXXXX
>>
>> root        : DEBUG    stdout=
>> root        : DEBUG    stderr=request done: ld 0x172d1d10 msgid 1
>> request done: ld 0x172d1d10 msgid 2
>> request done: ld 0x172d1d10 msgid 3
>> Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
>> Keytab successfully retrieved and stored in: /etc/krb5.keytab
>> Certificate subject base is: O=EXAMPLE.COM <http://EXAMPLE.COM>
>>
>> Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
>>
>> root        : DEBUG    args=/usr/kerberos/bin/kinit -k -t
>> /etc/krb5.keytab host/apa01-tst.chn1.oob.example.com at EXAMPLE.COM
>> <mailto:apa01-tst.chn1.oob.example.com at EXAMPLE.COM>
>>
>> root        : DEBUG    stdout=
>> root        : DEBUG    stderr=kinit(v5): Password incorrect while
>> getting initial credentials
>>
>> Failed to obtain host TGT.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>
> I don't think this is related to the DES failure, it just means that the
> KDC doesn't issue DES keys (a good thing).
>
> What keys are in the keytab and why errors are logged in the KDC when this
> kinit fails?
>
> What is the rpm version of ipa-client?
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140311/68fe1f06/attachment.htm>