So I've just re-run the client install to avoid the noise of krb5kdc.log (just
as to why the timestamps don't match) and this is the entire block:
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
[email protected]<mailto:[email protected]> for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
ldap/[email protected]<mailto:ldap/[email protected]>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
HTTP/[email protected]<mailto:HTTP/[email protected]>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (1 etypes
{18}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
[email protected]<mailto:[email protected]> for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.248.2: ISSUE: authtime 1552392528, etypes
{rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]>
for
ldap/[email protected]<mailto:ldap/[email protected]>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
host/[email protected]<mailto:host/[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>,
Additional pre-authentication required
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes
{rep=18 tkt=18 ses=18},
host/[email protected]<mailto:host/[email protected]>
for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. [email protected]<mailto:[email protected]>
On 12 Mar 2019, at 12:04, Alexander Bokovoy
<[email protected]<mailto:[email protected]>> wrote:
On ti, 12 maalis 2019, Callum Smith wrote:
Dear Alexander,
No worries - here's the krb5kdc.log relevant area when you get a
moment. I understand that service aliases are relatively new to FreeIPA
so debugging them is proving to be a bit tricky.
Hm.. the log you provided does not include a line where host/virt-test...
client asks for a service ticket (TGS_REQ) to HTTP/virt-b... that
results in PROCESS_TGS response.
The log entries around that one are needed.
We're very grateful for your time - particularly when it may be taking
you away from things like implementing the Global Catalogue we're eager
for :D.
:) I wish I had time for that already. I'm trying to fix
https://pagure.io/freeipa/issue/7181 right now.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
