[Freeipa-users] authenticating with dns

Martin Basti mbasti at redhat.com
Thu Feb 23 08:17:18 UTC 2017 


On 22.02.2017 23:26, Aaron Young wrote:
> Hello Everyone
>
> I recently lost the master master IPA server setup by the previous 
> administrator.
> As it stands now, if I try to add a new client, in order to standup a 
> new replica, I get errors while trying to setup DNS. This led me to 
> look at how authentication worked (I'm new to IPA) and I learned about 
> the kerberos tools
>
> I don't know if I'm familiar enough with the terminology to adequately 
> describe what I'm experiencing, so I'll give you some of the commands 
> and their results
>
> but first, a bit on the design
>
> before I got to this, we had
>
> a <-> b <-> c <-> d
>
> b was the master master
>
> a, happened to point to two test servers nyc02ipa01 and nyc02ipa02 
> (not pictured, I discovered them later when c and d started having 
> problems)
>
> a - nyc01ipa02
> b - nyc01ipa01
> c - ld4ipa01
> d - ld4ipa02
>
> currently, I have nyc02ipa02 <-> nyc01ipa02
> the reason I have it limited like this is because all the other 
> servers stopped replicating for one reason or another (mainly that 
> they can't authenticate or in one case, there was a database record 
> corruption)
> Anyway, here are some activities and logs from the latest round of 
> fixes and information activities I've been engaging in
>
> 22:54:32 root at nyc01ipa02:~# kinit admin
> kinit: Clients credentials have been revoked while getting initial 
> credentials
>
> Reading through this 
> <http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html> tells 
> me that
>
>     # kadmin: modprinc -unlock PRINCNAME
>
> will unlock an account...but if I can't get in....
>
>     22:54:37 root at nyc01ipa02:~# kadmin
>     Authenticating as principal root/admin at MF with password.
>     kadmin: Client 'root/admin at MF' not found in Kerberos database
>     while initializing kadmin interface
>
> on ld4ipa02, did a
>
>     # ipa-client-install --uninstall
>
> then
>
>     # ipa-client-install --force-join --enable-dns-updates --permit -f
>     --ssh-trust-dns --request-cert --automount-location=LD4
>     --enable-dns-updates
>
> DNS did not update, here is the relevant portion from 
> /var/log/ipaclient-install.log
>
>     2017-02-20T18:46:49Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
>     2017-02-20T18:46:49Z DEBUG debug
>
>     update delete ld4ipa02.mf. IN A
>     show
>     send
>
>     update delete ld4ipa02.mf. IN AAAA
>     show
>     send
>
>     update add ld4ipa02.mf. 1200 IN A 10.102.100.140
>     show
>     send
>
>     2017-02-20T18:46:49Z DEBUG Starting external process
>     2017-02-20T18:46:49Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
>     2017-02-20T18:46:49Z DEBUG Process finished, return code=1
>     2017-02-20T18:46:49Z DEBUG stdout=Outgoing update query:
>     ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>     ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>     ;; UPDATE SECTION:
>     ld4ipa02.mf. 0 ANY A
>
>     2017-02-20T18:46:49Z DEBUG stderr=Reply from SOA query:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34702
>     ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>     ;; QUESTION SECTION:
>     ;ld4ipa02.mf. IN SOA
>
>     ;; AUTHORITY SECTION:
>     mf. 1800 IN SOA ld4ipa01.mf. hostmaster.mf. 1487615509 3600 900 1209600 3600
>
>     Found zone name: mf
>     The master is: ld4ipa01.mf
>     start_gssrequest
>     tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ld4ipa01.mf at MF not found in Kerberos database.
>
>     2017-02-20T18:46:49Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>     2017-02-20T18:46:49Z ERROR Failed to update DNS records.
>     2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN A
>     2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
>     2017-02-20T18:46:49Z DEBUG DNS resolver: Query: ld4ipa02.mf IN AAAA
>     2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
>     2017-02-20T18:46:49Z DEBUG DNS resolver: Query:140.100.102.10.in-addr.arpa <http://140.100.102.10.in-addr.arpa/>. IN PTR
>     2017-02-20T18:46:49Z DEBUG DNS resolver: No record.
>     2017-02-20T18:46:49Z WARNING Missing A/AAAA record(s) for host ld4ipa02.mf: 10.102.100.140.
>     2017-02-20T18:46:49Z WARNING Missing reverse record(s) for address(es): 10.102.100.140.
>
> Why isn't there an entry for "DNS/ld4ipa01.mf at MF" in the Kerberos 
> database?
>
> klist -ktK /etc/dirsrv/ds.keytab on ld4ipa01 returns
>
>     Keytab name: FILE:/etc/dirsrv/ds.keytab
>     <http://file/etc/dirsrv/ds.keytab>
>     KVNO Timestamp Principal
>     ---- -------------------
>     ------------------------------------------------------
>     2 11/17/2016 20:38:39 ldap/ld4ipa01.mf at MF
>     (0x696a502bc73d209acdd36c42242f7f8aff9dbba1073b34ea018ed3bd9cdfd970)
>     2 11/17/2016 20:38:39 ldap/ld4ipa01.mf at MF
>     (0xe031464b6948ea34f4291d40fca7a21e)
>     2 11/17/2016 20:38:39 ldap/ld4ipa01.mf at MF
>     (0xe94a1c98fe79b6317901435d9e9e0257cefe438ff2ec527f)
>     2 11/17/2016 20:38:39 ldap/ld4ipa01.mf at MF
>     (0x6aaf4c7fa6b51b9de032b7c6428307b5)
>     2 11/17/2016 20:38:39 ldap/ld4ipa01.mf at MF
>     (0x5e0702f44aef9e0633e09eede7ca8041)
>     2 11/17/2016 20:38:39 ldap/ld4ipa01.mf at MF
>     (0x6e3a9d29ee3f129a156ae6228ab7728df8ce5de923a61eba6a2e7802b8d230b6)
>
>
> Tried to test connectivity using ldapsearch  found that I could 
> connect to other hosts on 389 but not 636
>
>     # ldapsearch -Hldap://nyc02ipa02:389  -D "cn=directory manager" -W -b "" -s base
>
>     # ldapsearch -Hldaps://nyc02ipa02:686 -D "cn=directory manager" -W -b "" -s base
>
> Testing the kvno
>
>     02:10:00 root at ld4ipa01:~# kvno DNS/ld4ipa01.mf at MF
>     DNS/ld4ipa01.mf at MF: kvno = 2
>
>     02:10:52 root at ld4ipa02:~# kvno DNS/ld4ipa01.mf at MF
>     kvno: Server DNS/ld4ipa01.mf at MF not found in Kerberos database
>     while getting credentials for DNS/ld4ipa01.mf at MF
>
> Add this to any command line to get debug on kerberos commands
>
>     KRB5_TRACE=/dev/stdout  kvno DNS/ld4ipa01.mf at MF
>
> So, looking at the debug
> kvno from ld4ipa02, does not return tickets. It does this because it 
> contacts the KDC which is nyc02ipa02, and nyc02ipa02 does not 
> recognize ldipa02 as an IPA server. It doesn't recognize ld4ipa01 either.
>
> right now, if I try to connect nyc02ipa02 to ld4ipa01 I get
>
>     21:56:27 root at nyc02ipa02:~# ipa topologysegment-add domain
>     ld4ipa01-to-nyc02ipa02 --leftnode ld4ipa01.mf --rightnode
>     nyc02ipa02.mf
>     ipa: ERROR: invalid 'leftnode': left node is not a topology node:
>     ld4ipa01.mf
>
> ipa privilege-show 'DNS Servers' --all --raw
>    dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=mf
>    cn: DNS Servers
>    description: DNS Servers
>    member: krbprincipalname=DNS/nyc01ipa02.mf at MF,cn=services,cn=accounts,dc=mf
>    member: krbprincipalname=ipa-dnskeysyncd/nyc01ipa02.mf at MF,cn=services,cn=accounts,dc=mf
>    member: krbprincipalname=DNS/nyc02ipa02.mf at MF,cn=services,cn=accounts,dc=mf
>    member: krbprincipalname=ipa-dnskeysyncd/nyc02ipa02.mf at MF,cn=services,cn=accounts,dc=mf
>    member: krbprincipalname=ipa-ods-exporter/nyc01ipa02.mf at MF,cn=services,cn=accounts,dc=mf
>    memberof: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=mf
>    memberof: cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=mf
>    objectClass: top
>    objectClass: groupofnames
>    objectClass: nestedgroup
>
> -- 
> Aaron Young
> MarketFactory, Manager of Site Reliability Engineering
> 425 Broadway, 3FL
> New  York, NY 10013
> Office: +1 212 625 9988
> Direct +1 646 779 3710
> US Support: +1 (212) 625-0688 <tel:%2B1%20%28212%29%20625-0688> | UK 
> Support: +44 (0) 203 695-7997 <tel:%2B44%20%280%29%20203%20695-7997>
>
>

Hello,

please don't use kadmin utility, it is not integrated very well with IPA 
(or unsupported is a better word) and may break it even more. It looks 
that you have corrupted kerberos credentials for id4ipa01

I see you are installing client on id4ipa01, was IPA server removed 
properly previosly?

Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170223/4b797e72/attachment.htm>

More information about the Freeipa-users mailing list