Thanks for the replies! I do have the krb5-pkinit package installed. 
ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage 
enable didn't fix the problem. 

$ ipa pkinit-status --server=SERVER_NAME 
says PKINIT is disabled.
# ipa-pkinit-manage status
now says it is enabled.
$ ipa config-show 
does not list any IPA masters supporting PKINIT.

If I disable then re-enable using ipa-pkinit-manage, nothing changes.

I should note that we now have one server on 4.4, which I daren't touch, and 
this one on 4.5 which is having issues.

This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated 
it at the password prompt. So there is something wrong with the KDC?

[3790] 1507282499.679169: Resolving unique ccache of type KEYRING
[3790] 1507282499.679205: Getting initial credentials for 
WELLKNOWN/anonym...@ous.nsc.LOCAL
[3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
[3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
[3790] 1507282499.683001: Received answer (296 bytes) from stream 
192.168.1.248:88
[3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
[3790] 1507282499.683039: Response was from master KDC
[3790] 1507282499.683053: Received error from KDC: -1765328359/Additional 
pre-authentication required
[3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
[3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt 
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
[3790] 1507282499.683081: Received cookie: MIT
[3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) 
returned: -1765328252/Password read interrupted



> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <aboko...@redhat.com>:
> 
> On to, 05 loka 2017, Jochen Hein wrote:
>> Alexander Bokovoy <aboko...@redhat.com> writes:
>> 
>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>> 
>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>> non-zero exit status 1
>>>> 
>>>> Do you have krb5-pkinit installed?  I think there is a dependency
>>>> missing.  And I ran "ipa-pkinit-manage enable", but I don't remember if
>>>> it's needed for WebUI login.
>>> Looking into RHEL/CentOS spec file, I see:
>> 
>> Hm, then the dependency was missing for the client pakages for Debian/Ubuntu.
> This should not be a problem for the case above because it is IPA
> master, not a client here.
> 
> -- 
> / Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to