Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that 
it would use the value in krb5.conf, which is the 4.5 server).  It goes to 248 
every time.

strace showed me that kinit gets the IP address from 
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP 
address of the other master. I changed it to 192.168.1.249, the 4.5 master, and 
it works! 


> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <aboko...@redhat.com>:
> 
> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>> Thanks for the replies! I do have the krb5-pkinit package installed.
>> ipa-pkinit-manage status was disabled, but enabling it with 
>> ipa-pkinit-manage enable didn't fix the problem.
>> 
>> $ ipa pkinit-status --server=SERVER_NAME
>> says PKINIT is disabled.
>> # ipa-pkinit-manage status
>> now says it is enabled.
>> $ ipa config-show
>> does not list any IPA masters supporting PKINIT.
>> 
>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>> 
>> I should note that we now have one server on 4.4, which I daren't touch, and 
>> this one on 4.5 which is having issues.
>> 
>> This is the output from kinit -n as my user, with KRB5_TRACE on. I 
>> terminated it at the password prompt. So there is something wrong with the 
>> KDC?
>> 
>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>> [3790] 1507282499.679205: Getting initial credentials for 
>> WELLKNOWN/anonym...@ous.nsc.LOCAL
>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>> [3790] 1507282499.681128: Initiating TCP connection to stream 
>> 192.168.1.248:88
>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>> [3790] 1507282499.683001: Received answer (296 bytes) from stream 
>> 192.168.1.248:88
>> [3790] 1507282499.683008: Terminating TCP connection to stream 
>> 192.168.1.248:88
>> [3790] 1507282499.683039: Response was from master KDC
>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional 
>> pre-authentication required
>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt 
>> "OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>> [3790] 1507282499.683081: Received cookie: MIT
>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) 
>> returned: -1765328252/Password read interrupted
> 
> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
> 
> 
>> 
>> 
>> 
>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <aboko...@redhat.com>:
>>> 
>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>> Alexander Bokovoy <aboko...@redhat.com> writes:
>>>> 
>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>> 
>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>> non-zero exit status 1
>>>>>> 
>>>>>> Do you have krb5-pkinit installed?  I think there is a dependency
>>>>>> missing.  And I ran "ipa-pkinit-manage enable", but I don't remember if
>>>>>> it's needed for WebUI login.
>>>>> Looking into RHEL/CentOS spec file, I see:
>>>> 
>>>> Hm, then the dependency was missing for the client pakages for 
>>>> Debian/Ubuntu.
>>> This should not be a problem for the case above because it is IPA
>>> master, not a client here.
>>> 
>>> --
>>> / Alexander Bokovoy
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
>> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> -- 
> / Alexander Bokovoy

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to