Just learned a new keyboard shortcut in my mail client. Didn't mean to send 
without saying thanks a lot, that was very helpful.


> 6. okt. 2017 kl. 12.24 skrev Marius Bjørnstad via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org>:
> 
> Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed 
> that it would use the value in krb5.conf, which is the 4.5 server).  It goes 
> to 248 every time.
> 
> strace showed me that kinit gets the IP address from 
> /var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the IP 
> address of the other master. I changed it to 192.168.1.249, the 4.5 master, 
> and it works! 
> 
> 
>> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <aboko...@redhat.com 
>> <mailto:aboko...@redhat.com>>:
>> 
>> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>>> Thanks for the replies! I do have the krb5-pkinit package installed.
>>> ipa-pkinit-manage status was disabled, but enabling it with 
>>> ipa-pkinit-manage enable didn't fix the problem.
>>> 
>>> $ ipa pkinit-status --server=SERVER_NAME
>>> says PKINIT is disabled.
>>> # ipa-pkinit-manage status
>>> now says it is enabled.
>>> $ ipa config-show
>>> does not list any IPA masters supporting PKINIT.
>>> 
>>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>> 
>>> I should note that we now have one server on 4.4, which I daren't touch, 
>>> and this one on 4.5 which is having issues.
>>> 
>>> This is the output from kinit -n as my user, with KRB5_TRACE on. I 
>>> terminated it at the password prompt. So there is something wrong with the 
>>> KDC?
>>> 
>>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>>> [3790] 1507282499.679205: Getting initial credentials for 
>>> WELLKNOWN/anonym...@ous.nsc.LOCAL <mailto:WELLKNOWN/anonym...@ous.nsc.LOCAL>
>>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>>> [3790] 1507282499.681128: Initiating TCP connection to stream 
>>> 192.168.1.248:88
>>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>>> [3790] 1507282499.683001: Received answer (296 bytes) from stream 
>>> 192.168.1.248:88
>>> [3790] 1507282499.683008: Terminating TCP connection to stream 
>>> 192.168.1.248:88
>>> [3790] 1507282499.683039: Response was from master KDC
>>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional 
>>> pre-authentication required
>>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt 
>>> "OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>>> [3790] 1507282499.683081: Received cookie: MIT
>>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) 
>>> returned: -1765328252/Password read interrupted
>> 
>> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>> 
>> 
>>> 
>>> 
>>> 
>>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <aboko...@redhat.com 
>>>> <mailto:aboko...@redhat.com>>:
>>>> 
>>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>>> Alexander Bokovoy <aboko...@redhat.com <mailto:aboko...@redhat.com>> 
>>>>> writes:
>>>>> 
>>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>> 
>>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>>>>>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>> X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>>> non-zero exit status 1
>>>>>>> 
>>>>>>> Do you have krb5-pkinit installed?  I think there is a dependency
>>>>>>> missing.  And I ran "ipa-pkinit-manage enable", but I don't remember if
>>>>>>> it's needed for WebUI login.
>>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>> 
>>>>> Hm, then the dependency was missing for the client pakages for 
>>>>> Debian/Ubuntu.
>>>> This should not be a problem for the case above because it is IPA
>>>> master, not a client here.
>>>> 
>>>> --
>>>> / Alexander Bokovoy
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
>>> <mailto:freeipa-users@lists.fedorahosted.org>
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
>>> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> 
>> -- 
>> / Alexander Bokovoy
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to