On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve Huston via FreeIPA-users wrote:
> On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone
> <fbarr...@redhat.com> wrote:
> > What version of IPA are you running?
> 
> ipa-server-4.5.0-21.el7.x86_64
> 
> > Is SELinux in permissive mode?
> 
> Not normally, but I set it to permissive and ran 'ipactl restart' with
> no change.
> 
> > What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and
> > /var/kerberos/krb5kdc/kdc.crt ?
> 
> -rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0
> /var/kerberos/krb5kdc/kdc.crt
> -r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0
> /var/lib/ipa-client/pki/kdc-ca-bundle.pem
> 
> > could you share your /etc/sssd/sssd.conf ?
> 
> # !!! Warning !!!
> # This file is auto-generated by Puppet and WILL get overwritten!
> [domain/astro.princeton.edu]
> 
> ipa_hostname = ipa.astro.princeton.edu
> cache_credentials = True
> ipa_domain = astro.princeton.edu
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> chpass_provider = ipa
> ipa_server = 
> ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu
> ldap_tls_cacert = /etc/ipa/ca.crt
> # This option loads a precache of data, lets things like 'finger' work
> # properly
> enumerate = True
> ipa_server_mode = True
> [sssd]
> services = nss, pam
> config_file_version = 2
> 
> domains = astro.princeton.edu
> [nss]
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> This is from the machine 'ipa'; 'jedgar' exhibits the same behavior
> but 'auth' does not.  I also found another thread with the same
> symptoms where someone said they ran the 'kinit' line that was
> reported as failing and was asked for a password, I get a simple
> "kinit: Preauthentication failed while getting initial credentials"
> when I do that.  The responder in that thread had asked for more
> debugging, and in case it's useful here I include it:
> 
> ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c
> /var/run/ipa/ccaches/armor_3050 -X
> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> [5224] 1504634277.135166: Getting initial credentials for
> WELLKNOWN/anonym...@astro.princeton.edu
> [5224] 1504634277.135315: Sending request (221 bytes) to ASTRO.PRINCETON.EDU

Sorry if I'm being thick but I have trouble understanding if you ran
the kinit on ASTRO?

Normally, on the IPA server, Kerberos should only talk to the machine
you're running at.

> [5224] 1504634277.135517: Sending initial UDP request to dgram 
> 128.112.24.29:88
> [5224] 1504634277.138567: Received answer (362 bytes) from dgram
> 128.112.24.29:88
> [5224] 1504634277.138599: Response was from master KDC
> [5224] 1504634277.138652: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136,
> 19, 147, 2, 133
> [5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt
> "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
> [5224] 1504634277.138697: Received cookie: MIT
> [5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 
> 0/Success
> [5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum
> 9/8F3E114A4F723439791372FC00886002EE662DFD
> [5224] 1504634277.139045: PKINIT client making DH request
> [5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 
> 0/Success
> [5224] 1504634277.167271: Produced preauth for next request: 133, 16
> [5224] 1504634277.167289: Sending request (1601 bytes) to ASTRO.PRINCETON.EDU
> [5224] 1504634277.167339: Initiating TCP connection to stream 128.112.24.29:88
> [5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88
> [5224] 1504634277.189879: Received answer (1701 bytes) from stream
> 128.112.24.29:88
> [5224] 1504634277.189935: Terminating TCP connection to stream 
> 128.112.24.29:88
> [5224] 1504634277.189989: Response was from master KDC
> [5224] 1504634277.190010: Processing preauth types: 17, 19, 147
> [5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt
> "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
> [5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 
> 0/Success
> [5224] 1504634277.190070: PKINIT client could not verify DH reply
> [5224] 1504634277.190080: Preauth module pkinit (17) (real) returned:
> -1765328360/Preauthentication failed
> kinit: Preauthentication failed while getting initial credentials
> 
> The IP address of the KDC it's sending to is not the machine this is
> running from ('ipa'), but *is* the machine that works successfully
> ('auth').
> 
> 
> -- 
> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to