Re: [Freeipa-users] Unable to authenticate a client user against IPA

Tue, 08 Mar 2011 17:37:01 -0800 

Hi,

Log,

============
2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
'force': True, 'sssd': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'realm_name': None,
'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
None, 'mkhomedir': False, 'unattended': None, 'principal': None}
2011-03-04 15:08:58,726 DEBUG missing options might be asked for
interactively later

2011-03-04 15:08:58,726 DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
-O /tmp/tmp7MhOze/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:08:58,736 DEBUG stdout=
2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmp7MhOze/ca.crt'

     0K .                                                     100%
237M=0s

2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
[1321/1321]


2011-03-04 15:08:58,736 DEBUG Init ldap with:
ldap://fed14-64-ipam001.ipa.ac.nz:389
2011-03-04 15:08:58,749 DEBUG Search rootdse
2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
dc=ipa,dc=ac,dc=nz(base)
2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
{'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
in dc=ipa,dc=ac,dc=nz(sub)
2011-03-04 15:08:58,753 DEBUG Found:
[('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
'krbMaxRenewableAge': ['604800']})]
2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz

2011-03-04 15:08:58,753 DEBUG will use server:
fed14-64-ipam001.ipa.ac.nz

2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ

2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz

2011-03-04 15:09:04,645 DEBUG will use principal: admin

2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:09:04,659 DEBUG stdout=
2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'

     0K .                                                     100%
249M=0s

2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]


2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz: 

2011-03-04 15:09:11,665 DEBUG stderr=
2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
fed14-64-ipam001.ipa.ac.nz
2011-03-04 15:09:13,931 DEBUG stdout=
2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.

2011-03-04 15:09:13,937 DEBUG args=kdestroy
2011-03-04 15:09:13,937 DEBUG stdout=
2011-03-04 15:09:13,937 DEBUG stderr=
2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2011-03-04 15:09:13,938 DEBUG   -> Not backing up -
'/etc/ipa/default.conf' doesn't exist
2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2011-03-04 15:09:13,938 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
-d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2011-03-04 15:09:14,012 DEBUG stdout=
2011-03-04 15:09:14,012 DEBUG stderr=
2011-03-04 15:09:14,012 DEBUG Backing up system configuration file
'/etc/krb5.conf'
2011-03-04 15:09:14,013 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status
2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped

2011-03-04 15:09:14,104 DEBUG stderr=
2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart
2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED]
Starting certmonger: [  OK  ]

2011-03-04 15:09:14,280 DEBUG stderr=
2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list
2011-03-04 15:09:14,295 DEBUG stdout=certmonger         0:off   1:off   2:off
3:off   4:off   5:off   6:off

2011-03-04 15:09:14,295 DEBUG stderr=
2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on
2011-03-04 15:09:14,564 DEBUG stdout=
2011-03-04 15:09:14,564 DEBUG stderr=
2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb
-n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N
CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K
host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz
2011-03-04 15:09:14,586 DEBUG stdout=Error
org.fedorahosted.certmonger.duplicate: Certificate at same location is
already used by request "20110303020539".

2011-03-04 15:09:14,586 DEBUG stderr=
2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
2011-03-04 15:09:14,605 DEBUG stdout=
2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be
canonicalized when creating default server principal name

2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2011-03-04 15:09:14,764 DEBUG stdout=
2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may
have expired.

2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status
2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running...

2011-03-04 15:09:14,827 DEBUG stderr=
2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop
2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [  OK  ]

2011-03-04 15:09:14,856 DEBUG stderr=
2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list
2011-03-04 15:09:14,858 DEBUG stdout=nscd               0:off   1:off   2:on
3:on    4:on    5:on    6:off

2011-03-04 15:09:14,858 DEBUG stderr=
2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off
2011-03-04 15:09:14,958 DEBUG stdout=
2011-03-04 15:09:14,958 DEBUG stderr=
2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd
--enablesssdauth --update
2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [  OK  ]
[  OK  ]

2011-03-04 15:09:16,402 DEBUG stderr=
2011-03-04 15:09:16,419 DEBUG args=getent passwd admin
2011-03-04 15:09:16,419 DEBUG stdout=
2011-03-04 15:09:16,419 DEBUG stderr=
2011-03-04 15:09:17,424 DEBUG args=getent passwd admin
2011-03-04 15:09:17,424 DEBUG stdout=
2011-03-04 15:09:17,424 DEBUG stderr=
2011-03-04 15:09:18,429 DEBUG args=getent passwd admin
2011-03-04 15:09:18,429 DEBUG stdout=
2011-03-04 15:09:18,429 DEBUG stderr=
2011-03-04 15:09:19,432 DEBUG args=getent passwd admin
2011-03-04 15:09:19,432 DEBUG stdout=
2011-03-04 15:09:19,432 DEBUG stderr=
2011-03-04 15:09:20,435 DEBUG args=getent passwd admin
2011-03-04 15:09:20,436 DEBUG stdout=
2011-03-04 15:09:20,436 DEBUG stderr=
2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5
--update --nostart
2011-03-04 15:09:22,303 DEBUG stdout=
2011-03-04 15:09:22,303 DEBUG stderr=
2011-03-04 15:09:22,303 DEBUG Backing up system configuration file
'/etc/ntp.conf'
2011-03-04 15:09:22,304 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:22,305 DEBUG Backing up system configuration file
'/etc/sysconfig/ntpd'
2011-03-04 15:09:22,305 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on
2011-03-04 15:09:22,398 DEBUG stdout=
2011-03-04 15:09:22,398 DEBUG stderr=
2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart
2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [  OK  ]
Starting ntpd: [  OK  ]

2011-03-04 15:09:22,537 DEBUG stderr=
============

regards

On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote:
> On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
> Stephen Gallagher <sgall...@redhat.com> wrote:
> 
> > 
> > 
> > On Mar 8, 2011, at 5:45 PM, Steven Jones <steven.jo...@vuw.ac.nz>
> > wrote:
> > 
> > > Keytab name: WRFILE:/etc/krb5.keytab
> > > KVNO Principal
> > > ----
> > > --------------------------------------------------------------------------
> > > 
> > > 8><---------
> > >> 
> > >> 
> > >> 
> > >> 
> > 
> > Looks like you have no host key in the keytab. That's the root of the
> > problem. Seems like IPA-client-install failed to populate it. Rob, do
> > you have any insight here?
> 
> does /var/log/ipaclient-install.log show any error ?
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to