Thanks for your help! > This is coming from an attempt to get a Kerberos service ticket using > credentials for the user you are using to enroll this machine. Since you > are passing '-w$password' and not any specific principal, this means it > is the machine itself, hence we see
I'm passing -phost-enrollment (host-enrollment is the user for the password in -w), should I be adding something more? > 'TGT has been revoked' error comes from your KDC on IPA master. Please check > /var/log/krb5kdc.log on IPA server you connected to for this deployment. > There should be one of explaining messages prior to rejection. It might > be prefixed with 'PAC issue:' string There's nothing around this exact time, the only bits regarding a specific failed host that I could find are: krb5kdc[4526](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), a es128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 172.22.2.123: NEEDED_PREAUTH: host/ip-172-22-2-123....@example.com for krbtgt/example....@example.com, Additional pre-authentication required krb5kdc[4526](info): closing down fd 4 krb5kdc[4525](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 172.22.2.123: ISSUE: authtime 1669105826, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/ip-172-22-2-123....@example.com for krbtgt/example....@example.com (Different host in the logs above than before, but we had this issue again this morning and it was easier to look up that older logs). In terms of errors, the only one I could find in the logs was: krb5kdc[27486](Error): PAC issue: ipadb_get_principal failed. This was logged right before the whole set of instances got their errors. I did also notice that the some of the same hostnames exist in older Kerberos logs (hostnames will get repeated in our cloud env every now and then), could this be the cause? A host with a previously used hostname trying to enrol again? We have an automated process in place that calls host-del to IPA when an instance is terminated to delete it and its data from IPA, but maybe we should be clearing something from Kerberos directly too? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue