Patrick de Ruiter wrote:
When I want to enroll en new machine the ipa-client-install process
bails out with the error "Failed to retrieve encryption type DES cbc
mode with CRC-32 (#1)" .
The output below is the debug output:

[root@apa01-tst ~]# ipa-client-install -d
<> --mkhomedir -w otpass --realm=EXAMPLE.COM
<>   --unattended
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': '
<>', 'uninstall': False, 'force': False, 'sssd': True,
'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'mkhomedir': True,
'dns_updates': False, 'preserve_sssd': False, 'debug': True,
'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM
<http://EXAMPLE.COM>', 'unattended': True, 'ntp_server':
' <>', 'principal': None}
root        : DEBUG    missing options might be asked for interactively

root        : DEBUG    Loading Index file from
root        : DEBUG    Loading StateFile from
root        : DEBUG    [IPA Discovery]
root        : DEBUG    Starting IPA discovery with
<>, servers=None,
root        : DEBUG    Search for LDAP SRV record in
root        : DEBUG    [ipadnssearchldap]
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Verifying that
<> (realm EXAMPLE.COM <http://EXAMPLE.COM>) is
an IPA server
root        : DEBUG    Init ldap with: ldap://
root        : DEBUG    Search LDAP server for IPA base DN
root        : DEBUG    Check if naming context 'dc=pp,dc=ams' is for IPA
root        : DEBUG    Naming context 'dc=pp,dc=ams' is a valid IPA context
root        : DEBUG    Search for (objectClass=krbRealmContainer) in
root        : DEBUG    Found: [('cn=EXAMPLE.COM
<http://EXAMPLE.COM>,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees':
['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM <http://EXAMPLE.COM>'],
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass':
['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope':
['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife':
['86400'], 'krbMaxRenewableAge': ['604800']})]
root        : DEBUG    Discovery result: Success; <>, <>,
<>, basedn=dc=pp,dc=ams
root        : DEBUG    Validated servers:
root        : DEBUG    will use domain: <>

root        : DEBUG    [ipadnssearchldap( <>)]
root        : DEBUG    DNS validated, enabling discovery
root        : DEBUG    will use discovered server:
Discovery was successful!
root        : DEBUG    will use cli_realm: EXAMPLE.COM <http://EXAMPLE.COM>

root        : DEBUG    will use cli_basedn: dc=pp,dc=ams

DNS Domain: <>
IPA Server: <>
BaseDN: dc=pp,dc=ams

Synchronizing time with KDC...
root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b <>
root        : DEBUG    stdout=
root        : DEBUG    stderr=
root        : DEBUG    Writing Kerberos configuration to /tmp/tmpM19nuR:
#File modified by ipa-client-install

   default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
   dns_lookup_realm = false
   dns_lookup_kdc = false
   rdns = false
   ticket_lifetime = 24h
   forwardable = yes

     kdc = <>
     master_kdc = <>
     admin_server = <>
     default_domain = <>
     pkinit_anchors = FILE:/etc/ipa/ca.crt

[domain_realm] <> = EXAMPLE.COM <http://EXAMPLE.COM> <> = EXAMPLE.COM <http://EXAMPLE.COM>

root        : INFO     OTP case, CA cert preexisted, use it
root        : DEBUG    args=/usr/sbin/ipa-join -s
<> -b dc=pp,dc=ams -d -w XXXXXXXX
root        : DEBUG    stdout=
root        : DEBUG    stderr=request done: ld 0x172d1d10 msgid 1
request done: ld 0x172d1d10 msgid 2
request done: ld 0x172d1d10 msgid 3
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=EXAMPLE.COM <http://EXAMPLE.COM>

Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
root        : DEBUG    args=/usr/kerberos/bin/kinit -k -t
/etc/krb5.keytab host/
root        : DEBUG    stdout=
root        : DEBUG    stderr=kinit(v5): Password incorrect while
getting initial credentials

Failed to obtain host TGT.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

I don't think this is related to the DES failure, it just means that the KDC doesn't issue DES keys (a good thing).

What keys are in the keytab and why errors are logged in the KDC when this kinit fails?

What is the rpm version of ipa-client?


Freeipa-users mailing list

Reply via email to