- is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ?
  What does it contain?
- can you show your krb5.conf?
- can you strace the kinit?

On Tue, Sep 05, 2017 at 02:32:28PM -0400, Steve Huston via FreeIPA-users wrote:
> I ran it on the machine 'ipa.astro.princeton.edu'.  I would have
> expected it to talk to itself, but it seems to be talking to
> 'auth.astro.princeton.edu' instead.  I'm not sure why it failed over
> to there, or how to tell it not to (without turning
> off/rebooting/restarting auth.astro.princeton.edu, which since that's
> the one of the three machines that is working properly for password
> authentication through the web UI I'm reluctant to do so)
> 
> On Tue, Sep 5, 2017 at 2:29 PM, Jakub Hrozek via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> > On Tue, Sep 05, 2017 at 02:12:57PM -0400, Steve Huston via FreeIPA-users 
> > wrote:
> >> On Tue, Sep 5, 2017 at 1:57 PM, Felipe Barreto Volpone
> >> <fbarr...@redhat.com> wrote:
> >> > What version of IPA are you running?
> >>
> >> ipa-server-4.5.0-21.el7.x86_64
> >>
> >> > Is SELinux in permissive mode?
> >>
> >> Not normally, but I set it to permissive and ran 'ipactl restart' with
> >> no change.
> >>
> >> > What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem 
> >> > and
> >> > /var/kerberos/krb5kdc/kdc.crt ?
> >>
> >> -rw-r--r--. root root system_u:object_r:krb5kdc_conf_t:s0
> >> /var/kerberos/krb5kdc/kdc.crt
> >> -r--r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0
> >> /var/lib/ipa-client/pki/kdc-ca-bundle.pem
> >>
> >> > could you share your /etc/sssd/sssd.conf ?
> >>
> >> # !!! Warning !!!
> >> # This file is auto-generated by Puppet and WILL get overwritten!
> >> [domain/astro.princeton.edu]
> >>
> >> ipa_hostname = ipa.astro.princeton.edu
> >> cache_credentials = True
> >> ipa_domain = astro.princeton.edu
> >> id_provider = ipa
> >> auth_provider = ipa
> >> access_provider = ipa
> >> chpass_provider = ipa
> >> ipa_server = 
> >> ipa.astro.princeton.edu,auth.astro.princeton.edu,jedgar.astro.princeton.edu
> >> ldap_tls_cacert = /etc/ipa/ca.crt
> >> # This option loads a precache of data, lets things like 'finger' work
> >> # properly
> >> enumerate = True
> >> ipa_server_mode = True
> >> [sssd]
> >> services = nss, pam
> >> config_file_version = 2
> >>
> >> domains = astro.princeton.edu
> >> [nss]
> >>
> >> [pam]
> >>
> >> [sudo]
> >>
> >> [autofs]
> >>
> >> [ssh]
> >>
> >> [pac]
> >>
> >> This is from the machine 'ipa'; 'jedgar' exhibits the same behavior
> >> but 'auth' does not.  I also found another thread with the same
> >> symptoms where someone said they ran the 'kinit' line that was
> >> reported as failing and was asked for a password, I get a simple
> >> "kinit: Preauthentication failed while getting initial credentials"
> >> when I do that.  The responder in that thread had asked for more
> >> debugging, and in case it's useful here I include it:
> >>
> >> ipa:~# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c
> >> /var/run/ipa/ccaches/armor_3050 -X
> >> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
> >> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> >> [5224] 1504634277.135166: Getting initial credentials for
> >> WELLKNOWN/anonym...@astro.princeton.edu
> >> [5224] 1504634277.135315: Sending request (221 bytes) to 
> >> ASTRO.PRINCETON.EDU
> >
> > Sorry if I'm being thick but I have trouble understanding if you ran
> > the kinit on ASTRO?
> >
> > Normally, on the IPA server, Kerberos should only talk to the machine
> > you're running at.
> >
> >> [5224] 1504634277.135517: Sending initial UDP request to dgram 
> >> 128.112.24.29:88
> >> [5224] 1504634277.138567: Received answer (362 bytes) from dgram
> >> 128.112.24.29:88
> >> [5224] 1504634277.138599: Response was from master KDC
> >> [5224] 1504634277.138652: Received error from KDC:
> >> -1765328359/Additional pre-authentication required
> >> [5224] 1504634277.138684: Processing preauth types: 16, 15, 14, 136,
> >> 19, 147, 2, 133
> >> [5224] 1504634277.138693: Selected etype info: etype aes256-cts, salt
> >> "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
> >> [5224] 1504634277.138697: Received cookie: MIT
> >> [5224] 1504634277.138726: Preauth module pkinit (147) (info) returned: 
> >> 0/Success
> >> [5224] 1504634277.139038: PKINIT client computed kdc-req-body checksum
> >> 9/8F3E114A4F723439791372FC00886002EE662DFD
> >> [5224] 1504634277.139045: PKINIT client making DH request
> >> [5224] 1504634277.167261: Preauth module pkinit (16) (real) returned: 
> >> 0/Success
> >> [5224] 1504634277.167271: Produced preauth for next request: 133, 16
> >> [5224] 1504634277.167289: Sending request (1601 bytes) to 
> >> ASTRO.PRINCETON.EDU
> >> [5224] 1504634277.167339: Initiating TCP connection to stream 
> >> 128.112.24.29:88
> >> [5224] 1504634277.167845: Sending TCP request to stream 128.112.24.29:88
> >> [5224] 1504634277.189879: Received answer (1701 bytes) from stream
> >> 128.112.24.29:88
> >> [5224] 1504634277.189935: Terminating TCP connection to stream 
> >> 128.112.24.29:88
> >> [5224] 1504634277.189989: Response was from master KDC
> >> [5224] 1504634277.190010: Processing preauth types: 17, 19, 147
> >> [5224] 1504634277.190016: Selected etype info: etype aes256-cts, salt
> >> "ASTRO.PRINCETON.EDUWELLKNOWNANONYMOUS", params ""
> >> [5224] 1504634277.190026: Preauth module pkinit (147) (info) returned: 
> >> 0/Success
> >> [5224] 1504634277.190070: PKINIT client could not verify DH reply
> >> [5224] 1504634277.190080: Preauth module pkinit (17) (real) returned:
> >> -1765328360/Preauthentication failed
> >> kinit: Preauthentication failed while getting initial credentials
> >>
> >> The IP address of the KDC it's sending to is not the machine this is
> >> running from ('ipa'), but *is* the machine that works successfully
> >> ('auth').
> >>
> >>
> >> --
> >> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
> >>   Princeton University  |    ICBM Address: 40.346344   -74.652242
> >>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
> >>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
> >>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
> >> _______________________________________________
> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> 
> 
> -- 
> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to