[Freeipa-users] Kerberos and 2fa with mac OS X client

Thu Dec 15 20:23:58 UTC 2016

On to, 15 joulu 2016, Mark Steele wrote:
>Still no luck.
>
>
>klist
>Credentials cache: API:4FE16A36-A5AB-476F-8B49-4B427E816279
>        Principal: admin at INT.DOMAIN.COM
>
>  Issued                Expires               Principal
>Dec 15 13:45:09 2016  Dec 16 13:45:07 2016  krbtgt/INT.DOMAIN.COM at INT.DOMAIN.COM
>
>
>KRB5_TRACE=/dev/stdout kinit --fast-armor-cache=API:4FE16A36-A5AB-476F-8B49-4B427E816279 mark.steele at INT.DOMAIN.COM
>2016-12-15T13:35:35 set-error: -1765328242: Reached end of credential caches
>2016-12-15T13:35:35 set-error: -1765328243: Principal mark.steele at INT.DOMAIN.COM not found in any credential cache
>mark.steele at INT.DOMAIN.COM's password:
>2016-12-15T13:35:50 set-error: -1765328234: Encryption type des-cbc-md5-deprecated not supported
>2016-12-15T13:35:50 Adding PA mech: SRP
>2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_CHALLENGE
>2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_TIMESTAMP
>2016-12-15T13:35:50 krb5_get_init_creds: loop 1
>2016-12-15T13:35:50 KDC sent 0 patypes
>2016-12-15T13:35:50 Trying to find service kdc for realm INT.DOMAIN.COM flags 0
>2016-12-15T13:35:50 configuration file for realm INT.DOMAIN.COM found
>2016-12-15T13:35:50 submissing new requests to new host
>2016-12-15T13:35:50 connecting to host: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
>2016-12-15T13:35:50 writing packet: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
>2016-12-15T13:35:51 Configuration exists for realm INT.DOMAIN.COM, wont go to DNS
>2016-12-15T13:35:51 out of hosts, waiting for replies
>2016-12-15T13:36:01 retrying sending to: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
>2016-12-15T13:36:01 writing packet: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
>2016-12-15T13:36:12 retrying sending to: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
>2016-12-15T13:36:12 writing packet: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
>2016-12-15T13:36:23 host timed out: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
>2016-12-15T13:36:23 no more hosts to send/recv packets to/from trying to pulling more hosts
>2016-12-15T13:36:23 set-error: -1765328228: unable to reach any KDC in realm INT.DOMAIN.COM, tried 1 KDC
>2016-12-15T13:36:23 krb5_sendto_context INT.DOMAIN.COM done: -1765328228 hosts 1 packets 3 wc: 33.115489 nr: 0.000804 kh: 0.000915 tid: 00000001
>kinit: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.COM, tried 1 KDC
>mac client config (OS 10.11.1):
>
>cat /etc/krb5.conf
>[libdefaults]
>    default_realm = INT.DOMAIN.COM
>    dns_lookup_realm = true
>    dns_lookup_kdc = true
>    ticket_lifetime = 24h
>    forwardable = yes
>    renewable = true
>
>
>[realms]
> INT.DOMAIN.COM = {
>  kdc = ds01.int.domain.com:88
>  master_kdc = ds01.int.domain.com:88
>  admin_server = ds01.int.domain.com:749
>  default_domain = int.domain.com
>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>}
>
>[domain_realm]
> .int.domain.com = INT.DOMAIN.COM
> int.domain.com = INT.DOMAIN.COM
>
>On the freeipa server’s krb5kdc.log:
>
>krb5kdc: Realm not local to KDC - while dispatching (udp)
>
>When authenticating with a non 2FA user, works fine.
>
>Anyone can hit me with a clue-stick?
This does not look like related to the FAST processing, but what does
ipa-otpd log looks like (journalctl-wise)?


-- 
/ Alexander Bokovoy