Dear Alexander,
No worries - here's the krb5kdc.log relevant area when you get a moment. I
understand that service aliases are relatively new to FreeIPA so debugging them
is proving to be a bit tricky.
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
[email protected]<mailto:[email protected]> for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
ldap/[email protected]<mailto:ldap/[email protected]>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
HTTP/[email protected]<mailto:HTTP/[email protected]>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (1 etypes
{18}) 10.141.17.1: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18},
[email protected]<mailto:[email protected]> for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.248.2: ISSUE: authtime 1552388071, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
ldap/[email protected]<mailto:ldap/[email protected]>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
host/[email protected]<mailto:host/[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes
{rep=18 tkt=18 ses=18},
host/[email protected]<mailto:host/[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
We're very grateful for your time - particularly when it may be taking you away
from things like implementing the Global Catalogue we're eager for :D.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. [email protected]<mailto:[email protected]>
On 12 Mar 2019, at 11:52, Alexander Bokovoy
<[email protected]<mailto:[email protected]>> wrote:
On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
ldap/ipa-b.virt.$domain > ldap/ipa-b.$domain
HTTP/ipa-b.virt.$domain > HTTP/ipa-b.$domain
both aliases as above - krb5trace should be in attachments on previous message.
My bad. Thanks, can you also give krb5kdc.log output from the KDC server the
client talked to?
It looks like KDC is not finding something and returning PROCESS_TGS. I
have no time to look into details right now.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
