Whoops.  Let's try this again, I failed to post it correctly the first time.

The Reader's Digest version: I set up a FreeIPA server on CentOS 6.3. I then setup a FreeIPA client on another CentOS 6.3 system. So far, so good. Then I attempted to setup a FreeIPA client on a F18 system, which has FreeIPA 3.1.0, but that fails with the error "Failed to obtain host TGT.", and then reverts the changes.

The log file shows everything succeeding up to this point:

--------------------------------------------------------------------------
2012-12-23T19:39:38Z DEBUG args=/usr/sbin/ipa-join -s s0.ipa.naunetcorp.com -b dc=ipa,dc=naunetcorp,dc=com -h aloe.ipa.naunetcorp.com
2012-12-23T19:39:40Z DEBUG Process finished, return code=0
2012-12-23T19:39:40Z DEBUG stdout=
2012-12-23T19:39:40Z DEBUG stderr=Certificate subject base is: O=IPA.NAUNETCORP.COM

2012-12-23T19:39:40Z INFO Enrolled in IPA realm IPA.NAUNETCORP.COM
2012-12-23T19:39:40Z DEBUG Starting external process
2012-12-23T19:39:40Z DEBUG args=kdestroy
2012-12-23T19:39:40Z DEBUG Process finished, return code=0
2012-12-23T19:39:40Z DEBUG stdout=
2012-12-23T19:39:40Z DEBUG stderr=
2012-12-23T19:39:40Z DEBUG Starting external process
2012-12-23T19:39:40Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/aloe.ipa.naunetcorp....@ipa.naunetcorp.com
2012-12-23T19:39:40Z DEBUG Process finished, return code=1
2012-12-23T19:39:40Z DEBUG stdout=
2012-12-23T19:39:40Z DEBUG stderr=kinit: Generic preauthentication failure while getting initial credentials

2012-12-23T19:39:40Z ERROR Failed to obtain host TGT.
2012-12-23T19:39:40Z ERROR Installation failed. Rolling back changes.
--------------------------------------------------------------------------

Every time I run the client script, the following appears in krb5kdc.log on the server:

--------------------------------------------------------------------------
Dec 23 15:28:38 s0 krb5kdc[1208](info): AS_REQ (4 etypes {18 17 16 23}) 2001:db8::1: NEEDED_PREAUTH: host/aloe.ipa.naunetcorp....@ipa.naunetcorp.com for krbtgt/ipa.naunetcorp....@ipa.naunetcorp.com, Additional pre-authentication required
--------------------------------------------------------------------------

(Yes the timestamps are different, because I just thought to check the server log and so I ran the client command again; the clock skew between the two systems is not measurable.)

The problem occurs every time I attempt to join the FreeIPA domain; I have run it about 100 times now, just to see, as I found a verified RH ticket against an older FreeIPA where a user was indicating that they had this same type of trouble intermittently, but that was no use to me.

Anyone have an idea? Someplace else to look? Should I downgrade the client, or upgrade the server? Am I doing something wrong?

        Thanks a million!

        Mike

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to