Dear Alexander, Some more (hopefully) helpful information with a KRB5_TRACE on while running ipa-client install:
ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Client hostname: virt-test.virt.in.bmrc.ox.ac.uk Realm: IN.BMRC.OX.AC.UK DNS Domain: virt.in.bmrc.ox.ac.uk IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk>: [7792] 1552322394.293495: ccselect module realm chose cache FILE:/tmp/krbccQ6OHiN/ccache with client principal ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> for server principal ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> [7792] 1552322394.293496: Getting credentials ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> -> ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> using ccache FILE:/tmp/krbccQ6OHiN/ccache [7792] 1552322394.293497: Retrieving ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> -> ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> from FILE:/tmp/krbccQ6OHiN/ccache with result: -1765328243/Matching credential not found (filename: /tmp/krbccQ6OHiN/ccache) [7792] 1552322394.293498: Retrieving ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> -> krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> from FILE:/tmp/krbccQ6OHiN/ccache with result: 0/Success [7792] 1552322394.293499: Starting with TGT for client realm: ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> -> krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:krbtgt/in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> [7792] 1552322394.293500: Requesting tickets for ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>, referrals on [7792] 1552322394.293501: Generated subkey for TGS request: aes256-cts/6474 [7792] 1552322394.293502: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [7792] 1552322394.293504: Encoding request body and padata into FAST request [7792] 1552322394.293505: Sending request (985 bytes) to IN.BMRC.OX.AC.UK [7792] 1552322394.293506: Resolving hostname ipa-b.virt.in.bmrc.ox.ac.uk [7792] 1552322394.293507: Initiating TCP connection to stream 10.141.31.252:88 [7792] 1552322394.293508: Sending TCP request to stream 10.141.31.252:88 [7792] 1552322394.293509: Received answer (883 bytes) from stream 10.141.31.252:88 [7792] 1552322394.293510: Terminating TCP connection to stream 10.141.31.252:88 [7792] 1552322394.293511: Response was from master KDC [7792] 1552322394.293512: Decoding FAST response [7792] 1552322394.293513: FAST reply key: aes256-cts/7B54 [7792] 1552322394.293514: TGS reply is for ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> -> ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> with session key aes256-cts/0013 [7792] 1552322394.293515: TGS request result: 0/Success [7792] 1552322394.293516: Received creds for desired service ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> [7792] 1552322394.293517: Storing ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> -> ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> in FILE:/tmp/krbccQ6OHiN/ccache [7792] 1552322394.293519: Creating authenticator for ad...@in.bmrc.ox.ac.uk<mailto:ad...@in.bmrc.ox.ac.uk> -> ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk>, seqnum 27249405, subkey aes256-cts/2328, session key aes256-cts/0013 Unable to download CA cert from LDAP. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 11 Mar 2019, at 16:19, Alexander Bokovoy <aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote: On ma, 11 maalis 2019, Callum Smith wrote: Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, if i use the ldap host: ldaps://ipa-b.in.bmrc.ox.ac.uk/ but not: ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/ Since the client can only access the network that is ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP via that hostname. Is this actually possible, since the TGT is _always_ going to be on ipa-b.$domain because of the nsslapd-localhost entry? Question I have is why the client actually chooses ldap/ipa-b.$domain itself? This is probably the easiest place to change since it is driven by the DNS discovery so you can influence by whatever is put in the DNS SRV records. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org