On ma, 11 maalis 2019, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
Sorry, yes indeed using ipa-client-install. The ipaclient-install.log
should be attached, I can upload to dropbox if needed. Discovery
happens succesfully, but LDAP GSSAPI authentication is failing for some
reason.
Sorry! I didn't check the attachments, this was my fault!
I'll look later tonight.
.. I think the issue is that your configuration is definitely broken.
in ipaclient-install.log we can see DNS SRV record that has weird name
ipa-a.virt.in.bmrc.ox.ac.uk.virt.in.bmrc.ox.ac.uk.
2019-03-11T12:30:58Z DEBUG Search DNS for SRV record of
_kerberos._udp.virt.in.bmrc.ox.ac.uk
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 88
ipa-a.virt.in.bmrc.ox.ac.uk.virt.in.bmrc.ox.ac.uk.
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 88
ipa-b.virt.in.bmrc.ox.ac.uk.
For LDAP discovery then we are OK:
2019-03-11T12:30:58Z DEBUG Start searching for LDAP SRV record in
"virt.in.bmrc.ox.ac.uk" (Validating DNS Discovery) and its sub-domains
2019-03-11T12:30:58Z DEBUG Search DNS for SRV record of
_ldap._tcp.virt.in.bmrc.ox.ac.uk
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 389
ipa-a.virt.in.bmrc.ox.ac.uk.
2019-03-11T12:30:58Z DEBUG DNS record found: 0 100 389
ipa-b.virt.in.bmrc.ox.ac.uk.
2019-03-11T12:30:58Z DEBUG DNS validated, enabling discovery
However, there seem to be some issue with DNS setup foor
ipa-b.virt.$domain machine -- is this a CNAME?
In the ipaclient-install.log we see that admin user can get an initial
ticket granting ticket just fine:
2019-03-11T12:31:04Z DEBUG Initializing principal ad...@in.bmrc.ox.ac.uk using
password
2019-03-11T12:31:04Z DEBUG Starting external process
2019-03-11T12:31:04Z DEBUG args=/usr/bin/kinit ad...@in.bmrc.ox.ac.uk -c
/tmp/krbccEqCmTM/ccache
2019-03-11T12:31:04Z DEBUG Process finished, return code=0
2019-03-11T12:31:04Z DEBUG stdout=Password for ad...@in.bmrc.ox.ac.uk:
2019-03-11T12:31:04Z DEBUG stderr=
But when trying to authenticate to LDAP with SASL GSSAPI we fail:
2019-03-11T12:31:04Z DEBUG trying to retrieve CA cert via LDAP from
ipa-b.virt.in.bmrc.ox.ac.uk
2019-03-11T12:31:04Z DEBUG get_ca_certs_from_ldap() error: Insufficient access:
Invalid credentials
2019-03-11T12:31:04Z DEBUG Insufficient access: Invalid credentials
In KDC logs we see that we requested a service ticket for
ldap/ipa-b.in.bmrc.ox.ac.uk rather than for ldap/ipa-b.virt.in.bmrc.ox.ac.uk:
Mar 11 12:31:06 ipa-b.in.bmrc.ox.ac.uk krb5kdc[5701](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 10.141.248.2: ISSUE: authtime
1552307464, etypes {rep=18 tkt=18 ses=18}, +ad...@in.bmrc.ox.ac.uk for
ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk
Note that ldap/ipa-b.$domain looks like a correct Kerberos service
principal because KDC knows about it. However, this is definitely not
the same principal as used by the LDAP server itself as LDAP server
cannot use own key to decode the service ticket sent by the client, thus
resulting in 'Invalid credentials'.
So, you need to look at what you have define as a service principal
ldap/* and what you have defined in DNS for that LDAP server.
Can you also look at /etc/dirsrv/ds.keytab on ipa-b server? Use 'klist
-kt /etc/dirsrv/ds.keytab'.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
