I ran it on the machine 'ipa.astro.princeton.edu'.  I would have
expected it to talk to itself, but it seems to be talking to
'auth.astro.princeton.edu' instead.  I'm not sure why it failed over
to there, or how to tell it not to (without turning
off/rebooting/restarting auth.astro.princeton.edu, which since that's
the one of the three machines that is working properly for password
authentication through the web UI I'm reluctant to do so)

On Tue, Sep 5, 2017 at 2:29 PM, Jakub Hrozek via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve Huston via FreeIPA-users 
> wrote:
>> On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone
>> <fbarr...@redhat.com> wrote:
>> > What version of IPA are you running?
>>
>> ipa-server-4.5.0-21.el7.x86_64
>>
>> > Is SELinux in permissive mode?
>>
>> Not normally, but I set it to permissive and ran 'ipactl restart' with
>> no change.
>>
>> > What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and
>> > /var/kerberos/krb5kdc/kdc.crt ?
>>
>> -rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0
>> /var/kerberos/krb5kdc/kdc.crt
>> -r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0
>> /var/lib/ipa-client/pki/kdc-ca-bundle.pem
>>
>> > could you share your /etc/sssd/sssd.conf ?
>>
>> # !!! Warning !!!
>> # This file is auto-generated by Puppet and WILL get overwritten!
>> [domain/astro.princeton.edu]
>>
>> ipa_hostname = ipa.astro.princeton.edu
>> cache_credentials = True
>> ipa_domain = astro.princeton.edu
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> chpass_provider = ipa
>> ipa_server = 
>> ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> # This option loads a precache of data, lets things like 'finger' work
>> # properly
>> enumerate = True
>> ipa_server_mode = True
>> [sssd]
>> services = nss, pam
>> config_file_version = 2
>>
>> domains = astro.princeton.edu
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> This is from the machine 'ipa'; 'jedgar' exhibits the same behavior
>> but 'auth' does not.  I also found another thread with the same
>> symptoms where someone said they ran the 'kinit' line that was
>> reported as failing and was asked for a password, I get a simple
>> "kinit: Preauthentication failed while getting initial credentials"
>> when I do that.  The responder in that thread had asked for more
>> debugging, and in case it's useful here I include it:
>>
>> ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c
>> /var/run/ipa/ccaches/armor_3050 -X
>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>> [5224] 1504634277.135166: Getting initial credentials for
>> WELLKNOWN/anonym...@astro.princeton.edu
>> [5224] 1504634277.135315: Sending request (221 bytes) to ASTRO.PRINCETON.EDU
>
> Sorry if I'm being thick but I have trouble understanding if you ran
> the kinit on ASTRO?
>
> Normally, on the IPA server, Kerberos should only talk to the machine
> you're running at.
>
>> [5224] 1504634277.135517: Sending initial UDP request to dgram 
>> 128.112.24.29:88
>> [5224] 1504634277.138567: Received answer (362 bytes) from dgram
>> 128.112.24.29:88
>> [5224] 1504634277.138599: Response was from master KDC
>> [5224] 1504634277.138652: Received error from KDC:
>> -1765328359/Additional pre-authentication required
>> [5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136,
>> 19, 147, 2, 133
>> [5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt
>> "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
>> [5224] 1504634277.138697: Received cookie: MIT
>> [5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 
>> 0/Success
>> [5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum
>> 9/8F3E114A4F723439791372FC00886002EE662DFD
>> [5224] 1504634277.139045: PKINIT client making DH request
>> [5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 
>> 0/Success
>> [5224] 1504634277.167271: Produced preauth for next request: 133, 16
>> [5224] 1504634277.167289: Sending request (1601 bytes) to ASTRO.PRINCETON.EDU
>> [5224] 1504634277.167339: Initiating TCP connection to stream 
>> 128.112.24.29:88
>> [5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88
>> [5224] 1504634277.189879: Received answer (1701 bytes) from stream
>> 128.112.24.29:88
>> [5224] 1504634277.189935: Terminating TCP connection to stream 
>> 128.112.24.29:88
>> [5224] 1504634277.189989: Response was from master KDC
>> [5224] 1504634277.190010: Processing preauth types: 17, 19, 147
>> [5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt
>> "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
>> [5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 
>> 0/Success
>> [5224] 1504634277.190070: PKINIT client could not verify DH reply
>> [5224] 1504634277.190080: Preauth module pkinit (17) (real) returned:
>> -1765328360/Preauthentication failed
>> kinit: Preauthentication failed while getting initial credentials
>>
>> The IP address of the KDC it's sending to is not the machine this is
>> running from ('ipa'), but *is* the machine that works successfully
>> ('auth').
>>
>>
>> --
>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to