[Freeipa-users] Re: kinit: Cannot find KDC for realm "[email protected]" while getting initial credentials

Tue, 11 May 2021 22:13:48 -0700 

Am Tue, May 11, 2021 at 07:08:40PM -0000 schrieb pxg51214 r via FreeIPA-users:
> Hello,
> I apologize if this has been previously resolved. I am new to FreeIPA 
> product. Our ops team has created a keytab (please kindly see below for the 
> command used)
> on a Windows AD server. I copied the keytab file, along with the KDC and 
> root-CA certificates to a RedHat Linux
> added a second REALM entry in the /etc/krb5.conf (per Google blogs 
> recommendations) and and tried 'kinit' (please
> see the command used below).
> The cli response (error) is listed below and I appreciate guidance on the 
> possible root causes and remedies.
> Thank you very much.
> -Chris
> 
> #----- Linux system configuration (the server where the keytab is placed for 
> automation)  --------------------------------------------------------
> $ cat /etc/os-release
> NAME="Red Hat Enterprise Linux"
> VERSION="8.3 (Ootpa)"
> ID="rhel"
> ID_LIKE="fedora"
> VERSION_ID="8.3"
> PLATFORM_ID="platform:el8"
> PRETTY_NAME="Red Hat Enterprise Linux 8.3 (Ootpa)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:redhat:enterprise_linux:8.3:GA"
> HOME_URL="https://www.redhat.com/";
> BUG_REPORT_URL="https://bugzilla.redhat.com/";
> 
> REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
> REDHAT_BUGZILLA_PRODUCT_VERSION=8.3
> REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
> REDHAT_SUPPORT_PRODUCT_VERSION="8.3"
> 
> 
> #---- Windows AD server configuration  (the server where the keytab is 
> created)  ---------------------------------------------------------------
> PS C:\temp> systeminfo
> 
> Host Name:                 MGMT-062-AD
> OS Name:                   Microsoft Windows Server 2019 Standard
> OS Version:                10.0.17763 N/A Build 17763
> OS Manufacturer:           Microsoft Corporation
> OS Configuration:          Primary Domain Controller
> OS Build Type:             Multiprocessor Free
> Registered Owner:          EXAMPLE, Inc
> Registered Organization:   EXAMPLE.COM
> Product ID:                00429-70000-00000-AA235
> Original Install Date:     3/25/2020, 8:52:14 PM
> System Boot Time:          4/14/2021, 5:18:21 PM
> System Manufacturer:       Xen
> System Model:              HVM domU
> System Type:               x64-based PC
> Processor(s):              1 Processor(s) Installed.
>                            [01]: Intel64 Family 6 Model 79 Stepping 1 
> GenuineIntel ~2600 Mhz
> BIOS Version:              Xen 4.7<denied>, 12/14/2020
> Windows Directory:         C:\Windows
> System Directory:          C:\Windows\system32
> Boot Device:               \Device\HarddiskVolume1
> System Locale:             en-us;English (United States)
> Input Locale:              en-us;English (United States)
> Time Zone:                 (UTC-06:00) Central Time (US & Canada)
> Total Physical Memory:     16,380 MB
> Available Physical Memory: 12,006 MB
> Virtual Memory: Max Size:  18,812 MB
> Virtual Memory: Available: 14,772 MB
> Virtual Memory: In Use:    4,040 MB
> Page File Location(s):     C:\pagefile.sys
> Domain:                    internal2.example.com
> Logon Server:              \\MGMT-062-AD
> Hotfix(s):                 16 Hotfix(s) Installed.
>                            [01]: KB4601558
>                            [02]: KB4494174
>                            [03]: KB4516115
>                            [04]: KB4523204
>                            [05]: KB4535680
>                            [06]: KB4539571
>                            [07]: KB4549947
>                            [08]: KB4562562
>                            [09]: KB4580325
>                            [10]: KB4587735
>                            [11]: KB4598480
>                            [12]: KB4601393
>                            [13]: KB5000859
>                            [14]: KB5001404
>                            [15]: KB5003243
>                            [16]: KB5003171
> Network Card(s):           1 NIC(s) Installed.
>                            [01]: XenServer PV Network Device
>                                  Connection Name: Ethernet 2
>                                  DHCP Enabled:    No
>                                  IP address(es)
>                                  [01]: 10.93.178.118
>                                  [02]: fe80::580:2a39:3c96:efa0
> Hyper-V Requirements:      A hypervisor has been detected. Features required 
> for Hyper-V will not be displayed.
> PS C:\temp>
> 
> 
> #----- Command used on Windows AD server (mgmt-062-ad) to create the keytab 
> file ---------------------------------------------------------------
> 
> C:/>   ktpass -out ldap-ad-2.keytab -princ 
> [email protected]@INTERNAL2.EXAMPLE.COM +rndPass 
> -mapUser [email protected]  -crypto AES256-SHA1 -pType 
> KRB5_NT_PRINCIPAL

Hi,

the principal is wrong. A proper principal would be e.g.

    ... - princ ldap/[email protected]

However, I'd expect that this won't work either because this principal
is most probably already used by the Windows AD server itself.


I wonder why you need the keytab in the first place? You mentioned that
you want to use FreeIPA. For FreeIPA you do not have to create a keytab
on the Windows side. What are you trying to achieve?

bye,
Sumit

> 
> #------  Error message 
> ---------------------------------------------------------------
> 
> $ klist -kt ldap-ad-2.keytab
> Keytab name: FILE:ldap-ad-2.keytab
> KVNO Timestamp           Principal
> ---- ------------------- 
> ------------------------------------------------------
>   18 12/31/1969 18:00:00 
> [email protected]\@INTERNAL2.EXAMPLE.COM
> 
> 
> #------  KRB5 Configuration File  
> ---------------------------------------------------------------
> 
> $ cat /etc/krb5.conf
> #File modified by ipa-client-install
> 
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [libdefaults]
>   default_realm = INTERNAL.EXAMPLE.COM
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   dns_canonicalize_hostname = false
>   ticket_lifetime = 24h
>   forwardable = true
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> 
> [realms]
>   INTERNAL.EXAMPLE.COM = {
>     pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> 
>   }
>   INTERNAL2.EXAMPLE.COM = {
>     pkinit_anchors = 
> FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.DomainController.Cert.pem
>     pkinit_pool = 
> FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.RootCA.Cert.pem
> 
>   }
> 
> [domain_realm]
>   .internal..example.com = INTERNAL.EXAMPLE.COM
>   internal..example.com = INTERNAL.EXAMPLE.COM
>   mgmt-027-auto.mgmt.internal..example.com = INTERNAL.EXAMPLE.COM
>   .mgmt.internal..example.com = INTERNAL.EXAMPLE.COM
>   mgmt.internal..example.com = INTERNAL.EXAMPLE.COM
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to