Thanks for the replies! I do have the krb5-pkinit package installed.
ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage
enable didn't fix the problem.
$ ipa pkinit-status --server=SERVER_NAME
says PKINIT is disabled.
# ipa-pkinit-manage status
now says it is enabled.
$ ipa config-show
does not list any IPA masters supporting PKINIT.
If I disable then re-enable using ipa-pkinit-manage, nothing changes.
I should note that we now have one server on 4.4, which I daren't touch, and
this one on 4.5 which is having issues.
This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated
it at the password prompt. So there is something wrong with the KDC?
 1507282499.679169: Resolving unique ccache of type KEYRING
 1507282499.679205: Getting initial credentials for
 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
 1507282499.683001: Received answer (296 bytes) from stream
 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
 1507282499.683039: Response was from master KDC
 1507282499.683053: Received error from KDC: -1765328359/Additional
 1507282499.683072: Processing preauth types: 136, 19, 2, 133
 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
 1507282499.683081: Received cookie: MIT
 1507282501.423154: Preauth module encrypted_timestamp (2) (real)
returned: -1765328252/Password read interrupted
> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <aboko...@redhat.com>:
> On to, 05 loka 2017, Jochen Hein wrote:
>> Alexander Bokovoy <aboko...@redhat.com> writes:
>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>> non-zero exit status 1
>>>> Do you have krb5-pkinit installed? I think there is a dependency
>>>> missing. And I ran "ipa-pkinit-manage enable", but I don't remember if
>>>> it's needed for WebUI login.
>>> Looking into RHEL/CentOS spec file, I see:
>> Hm, then the dependency was missing for the client pakages for Debian/Ubuntu.
> This should not be a problem for the case above because it is IPA
> master, not a client here.
> / Alexander Bokovoy
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org