Yep you're not wrong, one of our IPA replica was being evil and spitting errors. That replica is destined for the bin anyway so i've not worried about it. All of the kerberos issues have now gone away - except one which is more of a question than anything. Is it intentional that the sub-zone _kerberos._tcp SRV records are ignored and only the top level SRV records are used. We were hoping that defining _kerberos._tcp in .virt.in.bmrc.ox.ac.uk would work and over-ride the _kerberos._tcp SRV records in .in.bmrc.ox.ac.uk<http://in.bmrc.ox.ac.uk>
I have a feeling this behaviour is only in the installer however. Another (smaller) issue is that the DNS record creation as part of `ipa-client-install` isn't working. I'm having trouble finding where to look for the error: 2019-03-12T14:43:39Z DEBUG The DNS query name does not exist: virt-test.virt.in.bmrc.ox.ac.uk. 2019-03-12T14:43:39Z WARNING Hostname (virt-test.virt.in.bmrc.ox.ac.uk) does not have A/AAAA record. 2019-03-12T14:43:39Z DEBUG IP check failed: cannot use loopback IP address 127.0.0.1 2019-03-12T14:43:39Z DEBUG IP check failed: cannot use loopback IP address ::1 2019-03-12T14:43:39Z DEBUG IP check successful: 10.141.17.1 2019-03-12T14:43:39Z DEBUG IP check failed: cannot use link-local IP address fe80::546f:67ff:fe51:1c%eth0 2019-03-12T14:43:39Z DEBUG IP check successful: 10.141.17.1 2019-03-12T14:43:39Z DEBUG IP check failed: cannot use link-local IP address fe80::546f:67ff:fe51:1c%eth0 2019-03-12T14:43:39Z DEBUG Searching for an interface of IP address: 10.141.17.1 2019-03-12T14:43:39Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo) 2019-03-12T14:43:39Z DEBUG Testing local IP address: 10.141.17.1/255.255.240.0 (interface: eth0) 2019-03-12T14:43:39Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2019-03-12T14:43:39Z DEBUG debug update delete virt-test.virt.in.bmrc.ox.ac.uk. IN A show send update delete virt-test.virt.in.bmrc.ox.ac.uk. IN AAAA show send update add virt-test.virt.in.bmrc.ox.ac.uk. 1200 IN A 10.141.17.1 show send 2019-03-12T14:43:39Z DEBUG Starting external process 2019-03-12T14:43:39Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2019-03-12T14:45:23Z DEBUG Process finished, return code=1 2019-03-12T14:45:23Z DEBUG stdout=Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: virt-test.virt.in.bmrc.ox.ac.uk. 0 ANY A Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55036 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY ;; ADDITIONAL SECTION: 3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. 0 ANY TKEY gss-tsig. 1552401823 1552401823 3 NOERROR 688 YIICrAYJKoZIhvcSAQICAQBuggKbMIICl6ADAgEFoQMCAQ6iBwMFACAA AACjggGKYYIBhjCCAYKgAwIBBaE SGxBJTi5CTVJDLk9YLkFDLlVLoigw JqADAgEDoR8wHRsDRE5TGxZpcGEtYS5pbi5ibXJjLm94LmFjLnVro4IB OzCCATegAwIBEqEDAgECooIBKQSCASX4L4yJ9gPwWyHU5szTktPPJP+G Hjf/Bzworzuk1ODfJ5k/rG35UYurnk1KB0FI RYaeblQ8CPyYZ9eAmo1l WiPHFT+GwVtiUN6nhiPno5cQway4I5BCBOAQBEuxJd96GGqMhZYZLzWZ EomtIyl3JGL7GcuXFV62S9Dwg3FXsME3XYkBGrCQXHgXX35Yq0sh5sWI JM/XDPfbTxDHonLc+l/FSCyXB1KlOBc0v9KGX02V3aPlc NssV2xvk8y/ Nt/nyCI8VtzIa/6fSy/ZDpdwCkLqF2TbXY3ans6x1YbtS6GXIQtB3SFr n5PLZ+D/s6iHDHw7x4+q2on9+zlytLJahdoJLUO6/Zbr0MQrJPTjGmEb /RMySXyzEFz/evVVwlApnGlYY8ToIKSB8zCB8KADAgESooHoBIHl/v gZ 5/9qdzXOnRNBsmlgXU4viWXwbncZgQJ3E14rZOybp3/V9CVon0TjA4W4 +DsvWTeFiW9TO8ItLEsy/Am5phN3JemwPbSzYlZjUUovAKcCUg19Bn9o T6U2uopI38PxIIW7hieiQbcwu2thzjmVZCTLzl/ecxzHPhfWYbgJAz3T WLsYS+ 7TvVBU7UwYrbYb6Pbs3jF6VZCkEGRUz6DrQ8ukoL/hjBNcJ7uP MtNz9IVk61Monet/6fAT/EqIgvBYTGXySclw4/x8q2VxShtZ9NwT104+ eMijav0t8wsxeoL0HIq67w== 0 2019-03-12T14:45:23Z DEBUG stderr=Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21780 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;virt-test.virt.in.bmrc.ox.ac.uk. IN SOA ;; AUTHORITY SECTION: virt.in.bmrc.ox.ac.uk. 0 IN SOA ipa-a.in.bmrc.ox.ac.uk. hostmaster.virt.in.bmrc.ox.ac.uk. 1552319704 3600 900 1209600 3600 Found zone name: virt.in.bmrc.ox.ac.uk The master is: ipa-a.in.bmrc.ox.ac.uk start_gssrequest send_gssrequest ; Communication with 10.141.247.129#53 failed: timed out Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26740 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY ;; ANSWER SECTION: 3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 22380 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY response to SOA query was unsuccessful 2019-03-12T14:45:23Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2019-03-12T14:45:23Z ERROR Failed to update DNS records. 2019-03-12T14:45:23Z DEBUG DNS resolver: Query: virt-test.virt.in.bmrc.ox.ac.uk IN A 2019-03-12T14:45:23Z DEBUG DNS resolver: No record. 2019-03-12T14:45:23Z DEBUG DNS resolver: Query: virt-test.virt.in.bmrc.ox.ac.uk IN AAAA 2019-03-12T14:45:23Z DEBUG DNS resolver: No record. 2019-03-12T14:45:23Z DEBUG DNS resolver: Query: 1.17.141.10.in-addr.arpa. IN PTR 2019-03-12T14:45:23Z DEBUG DNS resolver: No record. 2019-03-12T14:45:23Z WARNING Missing A/AAAA record(s) for host virt-test.virt.in.bmrc.ox.ac.uk: 10.141.17.1. 2019-03-12T14:45:23Z WARNING Missing reverse record(s) for address(es): 10.141.17.1. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. [email protected]<mailto:[email protected]> On 12 Mar 2019, at 12:37, Alexander Bokovoy <[email protected]<mailto:[email protected]>> wrote: On ti, 12 maalis 2019, Callum Smith wrote: So I've just re-run the client install to avoid the noise of krb5kdc.log (just as to why the timestamps don't match) and this is the entire block: In the client krb5 trace I can see it talks to four different KDCs, not to ipa-b alone, because the krb5.conf generated during install does not pin you to ipa-b anymore. So I guess you need to look at other KDCs logs too. Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH: [email protected]<mailto:[email protected]><mailto:[email protected]> for krbtgt/[email protected]<mailto:krbtgt/[email protected]><mailto:krbtgt/[email protected]>, Additional pre-authentication required Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]><mailto:[email protected]> for krbtgt/[email protected]<mailto:krbtgt/[email protected]><mailto:krbtgt/[email protected]> Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]><mailto:[email protected]> for ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]><mailto:[email protected]> for HTTP/[email protected]<mailto:HTTP/[email protected]><mailto:HTTP/[email protected]> Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (1 etypes {18}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]><mailto:[email protected]> for krbtgt/[email protected]<mailto:krbtgt/[email protected]><mailto:krbtgt/[email protected]> Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.248.2: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18}, [email protected]<mailto:[email protected]><mailto:[email protected]> for ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH: host/[email protected]<mailto:host/[email protected]><mailto:host/[email protected]> for krbtgt/[email protected]<mailto:krbtgt/[email protected]><mailto:krbtgt/[email protected]>, Additional pre-authentication required Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18}, host/[email protected]<mailto:host/[email protected]><mailto:host/[email protected]> for krbtgt/[email protected]<mailto:krbtgt/[email protected]><mailto:krbtgt/[email protected]> Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11 Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. [email protected]<mailto:[email protected]><mailto:[email protected]> On 12 Mar 2019, at 12:04, Alexander Bokovoy <[email protected]<mailto:[email protected]><mailto:[email protected]>> wrote: On ti, 12 maalis 2019, Callum Smith wrote: Dear Alexander, No worries - here's the krb5kdc.log relevant area when you get a moment. I understand that service aliases are relatively new to FreeIPA so debugging them is proving to be a bit tricky. Hm.. the log you provided does not include a line where host/virt-test... client asks for a service ticket (TGS_REQ) to HTTP/virt-b... that results in PROCESS_TGS response. The log entries around that one are needed. We're very grateful for your time - particularly when it may be taking you away from things like implementing the Global Catalogue we're eager for :D. :) I wish I had time for that already. I'm trying to fix https://pagure.io/freeipa/issue/7181 right now. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
