Dear Alexander, Some more (hopefully) helpful information with a KRB5_TRACE on while running ipa-client install:
ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: virt-test.virt.in.bmrc.ox.ac.uk Realm: IN.BMRC.OX.AC.UK DNS Domain: virt.in.bmrc.ox.ac.uk IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for [email protected]<mailto:[email protected]>: [7792] 1552322394.293495: ccselect module realm chose cache FILE:/tmp/krbccQ6OHiN/ccache with client principal [email protected]<mailto:[email protected]> for server principal ldap/[email protected]<mailto:ldap/[email protected]> [7792] 1552322394.293496: Getting credentials [email protected]<mailto:[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]> using ccache FILE:/tmp/krbccQ6OHiN/ccache [7792] 1552322394.293497: Retrieving [email protected]<mailto:[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]> from FILE:/tmp/krbccQ6OHiN/ccache with result: -1765328243/Matching credential not found (filename: /tmp/krbccQ6OHiN/ccache) [7792] 1552322394.293498: Retrieving [email protected]<mailto:[email protected]> -> krbtgt/[email protected]<mailto:krbtgt/[email protected]> from FILE:/tmp/krbccQ6OHiN/ccache with result: 0/Success [7792] 1552322394.293499: Starting with TGT for client realm: [email protected]<mailto:[email protected]> -> krbtgt/[email protected]<mailto:krbtgt/[email protected]> [7792] 1552322394.293500: Requesting tickets for ldap/[email protected]<mailto:ldap/[email protected]>, referrals on [7792] 1552322394.293501: Generated subkey for TGS request: aes256-cts/6474 [7792] 1552322394.293502: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [7792] 1552322394.293504: Encoding request body and padata into FAST request [7792] 1552322394.293505: Sending request (985 bytes) to IN.BMRC.OX.AC.UK [7792] 1552322394.293506: Resolving hostname ipa-b.virt.in.bmrc.ox.ac.uk [7792] 1552322394.293507: Initiating TCP connection to stream 10.141.31.252:88 [7792] 1552322394.293508: Sending TCP request to stream 10.141.31.252:88 [7792] 1552322394.293509: Received answer (883 bytes) from stream 10.141.31.252:88 [7792] 1552322394.293510: Terminating TCP connection to stream 10.141.31.252:88 [7792] 1552322394.293511: Response was from master KDC [7792] 1552322394.293512: Decoding FAST response [7792] 1552322394.293513: FAST reply key: aes256-cts/7B54 [7792] 1552322394.293514: TGS reply is for [email protected]<mailto:[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]> with session key aes256-cts/0013 [7792] 1552322394.293515: TGS request result: 0/Success [7792] 1552322394.293516: Received creds for desired service ldap/[email protected]<mailto:ldap/[email protected]> [7792] 1552322394.293517: Storing [email protected]<mailto:[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]> in FILE:/tmp/krbccQ6OHiN/ccache [7792] 1552322394.293519: Creating authenticator for [email protected]<mailto:[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]>, seqnum 27249405, subkey aes256-cts/2328, session key aes256-cts/0013 Unable to download CA cert from LDAP. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. [email protected]<mailto:[email protected]> On 11 Mar 2019, at 16:19, Alexander Bokovoy <[email protected]<mailto:[email protected]>> wrote: On ma, 11 maalis 2019, Callum Smith wrote: Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, if i use the ldap host: ldaps://ipa-b.in.bmrc.ox.ac.uk/ but not: ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/ Since the client can only access the network that is ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP via that hostname. Is this actually possible, since the TGT is _always_ going to be on ipa-b.$domain because of the nsslapd-localhost entry? Question I have is why the client actually chooses ldap/ipa-b.$domain itself? This is probably the easiest place to change since it is driven by the DNS discovery so you can influence by whatever is put in the DNS SRV records. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
