Chris Moody wrote:
> Thanks for taking a look gents.  Ask and ye shall receive.  :)
> 

What version of IPA is this and what platform?

Before an install can you ensure that there is nothing in
/etc/krb5.conf.d/ (except may be crypto-policies)?

Same with /var/lib/sss/pubconf/krb5.include.d/

Might also be interesting to try to force a specific master by adding
--server <fqdn of master> to the install line, just to see.

I'm guessing the client is old as it doesn't appear to support the
newer-style ipa-getkeytab:

2018-01-17T02:11:50Z DEBUG args=/usr/sbin/ipa-join -s
sfca-do-4.ipa.xyz.com -b dc=ipa,dc=xyz,dc=com -h sfca-do-1.xyz.com
2018-01-17T02:11:51Z DEBUG Process finished, return code=0
2018-01-17T02:11:51Z DEBUG stdout=
2018-01-17T02:11:51Z DEBUG stderr=Failed to parse result: Failed to
decode GetKeytab Control.

Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=IPA.xyz.COM

2018-01-17T02:11:51Z INFO Enrolled in IPA realm IPA.xyz.COM

It does look like it enrolls ok and gets a keytab.

Note too that just about this it is able to get a TGT for the admin user
via kinit:

2018-01-17T02:11:50Z DEBUG args=/usr/bin/kinit ad...@ipa.xyz.com -c
/tmp/krbccCNSUmS/ccache

The only difference between Kerberos usage between the enrollment and
the rest is that during enrollment a fixed KDC is defined in the
temporary krb5.conf:

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.xyz.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  IPA.xyz.COM = {
    kdc = sfca-do-4.ipa.xyz.com:88
    master_kdc = sfca-do-4.ipa.xyz.com:88
    admin_server = sfca-do-4.ipa.xyz.com:749
    default_domain = xyz.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

[domain_realm]
  .xyz.com = IPA.xyz.COM
  xyz.com = IPA.xyz.COM


It is failing trying to autodiscover things later:

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.xyz.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  IPA.xyz.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .xyz.com = IPA.xyz.COM
  xyz.com = IPA.xyz.COM

Discovery appears to be working as expected:

2018-01-17T02:11:41Z DEBUG Search DNS for TXT record of _kerberos.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: "IPA.xyz.COM"
2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of
_kerberos._udp.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 88
sfca-do-4.ipa.xyz.com.

So I'm not entirely sure what is happening.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to