Thanks for the replies! I do have the krb5-pkinit package installed. ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable didn't fix the problem.
$ ipa pkinit-status --server=SERVER_NAME says PKINIT is disabled. # ipa-pkinit-manage status now says it is enabled. $ ipa config-show does not list any IPA masters supporting PKINIT. If I disable then re-enable using ipa-pkinit-manage, nothing changes. I should note that we now have one server on 4.4, which I daren't touch, and this one on 4.5 which is having issues. This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it at the password prompt. So there is something wrong with the KDC?  1507282499.679169: Resolving unique ccache of type KEYRING  1507282499.679205: Getting initial credentials for WELLKNOWN/anonym...@ous.nsc.LOCAL  1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL  1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88  1507282499.681311: Sending TCP request to stream 192.168.1.248:88  1507282499.683001: Received answer (296 bytes) from stream 192.168.1.248:88  1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88  1507282499.683039: Response was from master KDC  1507282499.683053: Received error from KDC: -1765328359/Additional pre-authentication required  1507282499.683072: Processing preauth types: 136, 19, 2, 133  1507282499.683079: Selected etype info: etype aes256-cts, salt "OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""  1507282499.683081: Received cookie: MIT  1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned: -1765328252/Password read interrupted > 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <aboko...@redhat.com>: > > On to, 05 loka 2017, Jochen Hein wrote: >> Alexander Bokovoy <aboko...@redhat.com> writes: >> >>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote: >> >>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote >>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c >>>>> /var/run/ipa/ccaches/armor_7424 -X >>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X >>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned >>>>> non-zero exit status 1 >>>> >>>> Do you have krb5-pkinit installed? I think there is a dependency >>>> missing. And I ran "ipa-pkinit-manage enable", but I don't remember if >>>> it's needed for WebUI login. >>> Looking into RHEL/CentOS spec file, I see: >> >> Hm, then the dependency was missing for the client pakages for Debian/Ubuntu. > This should not be a problem for the case above because it is IPA > master, not a client here. > > -- > / Alexander Bokovoy _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org