On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone
<fbarr...@redhat.com> wrote:
> What version of IPA are you running?

ipa-server-4.5.0-21.el7.x86_64

> Is SELinux in permissive mode?

Not normally, but I set it to permissive and ran 'ipactl restart' with
no change.

> What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and
> /var/kerberos/krb5kdc/kdc.crt ?

-rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0
/var/kerberos/krb5kdc/kdc.crt
-r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0
/var/lib/ipa-client/pki/kdc-ca-bundle.pem

> could you share your /etc/sssd/sssd.conf ?

# !!! Warning !!!
# This file is auto-generated by Puppet and WILL get overwritten!
[domain/astro.princeton.edu]

ipa_hostname = ipa.astro.princeton.edu
cache_credentials = True
ipa_domain = astro.princeton.edu
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = 
ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu
ldap_tls_cacert = /etc/ipa/ca.crt
# This option loads a precache of data, lets things like 'finger' work
# properly
enumerate = True
ipa_server_mode = True
[sssd]
services = nss, pam
config_file_version = 2

domains = astro.princeton.edu
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

This is from the machine 'ipa'; 'jedgar' exhibits the same behavior
but 'auth' does not.  I also found another thread with the same
symptoms where someone said they ran the 'kinit' line that was
reported as failing and was asked for a password, I get a simple
"kinit: Preauthentication failed while getting initial credentials"
when I do that.  The responder in that thread had asked for more
debugging, and in case it's useful here I include it:

ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c
/var/run/ipa/ccaches/armor_3050 -X
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
[5224] 1504634277.135166: Getting initial credentials for
WELLKNOWN/anonym...@astro.princeton.edu
[5224] 1504634277.135315: Sending request (221 bytes) to ASTRO.PRINCETON.EDU
[5224] 1504634277.135517: Sending initial UDP request to dgram 128.112.24.29:88
[5224] 1504634277.138567: Received answer (362 bytes) from dgram
128.112.24.29:88
[5224] 1504634277.138599: Response was from master KDC
[5224] 1504634277.138652: Received error from KDC:
-1765328359/Additional pre-authentication required
[5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136,
19, 147, 2, 133
[5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt
"ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
[5224] 1504634277.138697: Received cookie: MIT
[5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 0/Success
[5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum
9/8F3E114A4F723439791372FC00886002EE662DFD
[5224] 1504634277.139045: PKINIT client making DH request
[5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 0/Success
[5224] 1504634277.167271: Produced preauth for next request: 133, 16
[5224] 1504634277.167289: Sending request (1601 bytes) to ASTRO.PRINCETON.EDU
[5224] 1504634277.167339: Initiating TCP connection to stream 128.112.24.29:88
[5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88
[5224] 1504634277.189879: Received answer (1701 bytes) from stream
128.112.24.29:88
[5224] 1504634277.189935: Terminating TCP connection to stream 128.112.24.29:88
[5224] 1504634277.189989: Response was from master KDC
[5224] 1504634277.190010: Processing preauth types: 17, 19, 147
[5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt
"ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
[5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 0/Success
[5224] 1504634277.190070: PKINIT client could not verify DH reply
[5224] 1504634277.190080: Preauth module pkinit (17) (real) returned:
-1765328360/Preauthentication failed
kinit: Preauthentication failed while getting initial credentials

The IP address of the KDC it's sending to is not the machine this is
running from ('ipa'), but *is* the machine that works successfully
('auth').


-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to