[Freeipa-users] ipa group-add-member failed

Mon Mar 2 20:27:45 UTC 2015

On Mon, 02 Mar 2015, Ben .T.George wrote:
>Hi please find below output
>
>[root at kwttstfreipa01 ~]# kinit admin
>Password for admin at SOLIPA.LOCAL:
>
>[root at kwttstfreipa01 ~]# id admin
>uid=756800000(admin) gid=756800000(admins) groups=756800000(admins)
>
>
>[root at kwttstfreipa01 ~]# KRB5_TRACE=/dev/stderr kvno -S cifs
>kwttestdc001.kwttestdc.com
>[16898] 1425327238.662939: Convert service cifs (service with host as
>instance) on host kwttestdc001.kwttestdc.com to principal
>[16898] 1425327238.663650: Remote host after forward canonicalization:
>kwttestdc001.kwttestdc.com
>[16898] 1425327238.663684: Remote host after reverse DNS processing:
>kwttestdc001.kwttestdc.com
>[16898] 1425327238.663728: Get host realm for kwttestdc001.kwttestdc.com
>[16898] 1425327238.663742: Use local host kwttestdc001.kwttestdc.com to get
>host realm
>[16898] 1425327238.663749: Look up kwttestdc001.kwttestdc.com in the
>domain_realm map
>[16898] 1425327238.663757: Look up .kwttestdc.com in the domain_realm map
>[16898] 1425327238.663764: Temporary realm is KWTTESTDC.COM
>[16898] 1425327238.663771: Got realm KWTTESTDC.COM for host
>kwttestdc001.kwttestdc.com
>[16898] 1425327238.663792: Got service principal cifs/
>kwttestdc001.kwttestdc.com at KWTTESTDC.COM
>[16898] 1425327238.663818: Getting credentials admin at SOLIPA.LOCAL -> cifs/
>kwttestdc001.kwttestdc.com at KWTTESTDC.COM using ccache KEYRING:persistent:0:0
>[16898] 1425327238.664257: Retrieving admin at SOLIPA.LOCAL -> cifs/
>kwttestdc001.kwttestdc.com at KWTTESTDC.COM from KEYRING:persistent:0:0 with
>result: -1765328243/Matching credential not found
>[16898] 1425327238.664381: Retrieving admin at SOLIPA.LOCAL ->
>krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL from KEYRING:persistent:0:0 with result:
>-1765328243/Matching credential not found
>[16898] 1425327238.664500: Retrieving admin at SOLIPA.LOCAL ->
>krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL from KEYRING:persistent:0:0 with result:
>0/Success
>[16898] 1425327238.664516: Starting with TGT for client realm:
>admin at SOLIPA.LOCAL -> krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL
>[16898] 1425327238.664608: Retrieving admin at SOLIPA.LOCAL ->
>krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL from KEYRING:persistent:0:0 with result:
>-1765328243/Matching credential not found
>[16898] 1425327238.664622: Requesting TGT krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL
>using TGT krbtgt/SOLIPA.LOCAL at SOLIPA.LOCAL
>[16898] 1425327238.664690: Generated subkey for TGS request: aes256-cts/F74E
>[16898] 1425327238.664818: etypes requested in TGS request: aes256-cts,
>aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>[16898] 1425327238.665062: Encoding request body and padata into FAST
>request
>[16898] 1425327238.665256: Sending request (1486 bytes) to SOLIPA.LOCAL
>[16898] 1425327238.665597: Initiating TCP connection to stream
>172.16.107.250:88
>[16898] 1425327238.665802: Sending TCP request to stream 172.16.107.250:88
>[16898] 1425327238.673061: Received answer from stream 172.16.107.250:88
>[16898] 1425327238.673285: Response was from master KDC
>[16898] 1425327238.673342: Decoding FAST response
>[16898] 1425327238.673574: FAST reply key: aes256-cts/9134
>[16898] 1425327238.673650: TGS reply is for admin at SOLIPA.LOCAL ->
>krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL with session key aes256-cts/4F6F
>[16898] 1425327238.673691: TGS request result: 0/Success
>[16898] 1425327238.673753: Removing admin at SOLIPA.LOCAL ->
>krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL from KEYRING:persistent:0:0
>[16898] 1425327238.673768: Storing admin at SOLIPA.LOCAL ->
>krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL in KEYRING:persistent:0:0
>[16898] 1425327238.673933: Received TGT for service realm:
>krbtgt/KWTTESTDC.COM at SOLIPA.LOCAL
>[16898] 1425327238.673950: Requesting tickets for cifs/
>kwttestdc001.kwttestdc.com at KWTTESTDC.COM, referrals on
>[16898] 1425327238.673998: Generated subkey for TGS request: aes256-cts/8623
>[16898] 1425327238.674084: etypes requested in TGS request: aes256-cts,
>aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>[16898] 1425327238.674238: Encoding request body and padata into FAST
>request
>[16898] 1425327238.674395: Sending request (1531 bytes) to KWTTESTDC.COM
>[16898] 1425327238.676086: Resolving hostname kwttestdc001.kwttestdc.com.
>[16898] 1425327238.678096: Resolving hostname kwttestdc001.kwttestdc.com.
>[16898] 1425327238.678907: Initiating TCP connection to stream
>172.16.104.231:88
>[16898] 1425327238.679404: Sending TCP request to stream 172.16.104.231:88
>[16898] 1425327238.681292: Received answer from stream 172.16.104.231:88
>[16898] 1425327238.682088: Response was not from master KDC
>[16898] 1425327238.682142: TGS request result: -1765328372/KDC policy
>rejects request
>[16898] 1425327238.682161: Requesting tickets for cifs/
>kwttestdc001.kwttestdc.com at KWTTESTDC.COM, referrals off
>[16898] 1425327238.682212: Generated subkey for TGS request: aes256-cts/50DA
>[16898] 1425327238.682283: etypes requested in TGS request: aes256-cts,
>aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>[16898] 1425327238.682391: Encoding request body and padata into FAST
>request
>[16898] 1425327238.682499: Sending request (1531 bytes) to KWTTESTDC.COM
>[16898] 1425327238.683871: Resolving hostname kwttestdc001.kwttestdc.com.
>[16898] 1425327238.684756: Resolving hostname kwttestdc001.kwttestdc.com.
>[16898] 1425327238.685461: Initiating TCP connection to stream
>172.16.104.231:88
>[16898] 1425327238.685864: Sending TCP request to stream 172.16.104.231:88
>[16898] 1425327238.687136: Received answer from stream 172.16.104.231:88
>[16898] 1425327238.687793: Response was not from master KDC
>[16898] 1425327238.687832: TGS request result: -1765328372/KDC policy
>rejects request
>kvno: KDC policy rejects request while getting credentials for cifs/
>kwttestdc001.kwttestdc.com at KWTTESTDC.COM
Last line tells that trust is not working.

Read discussion in this thread:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00397.html
and follow recommendations there, it was just last week here.
-- 
/ Alexander Bokovoy