Patrick de Ruiter wrote:
When I want to enroll en new machine the ipa-client-install process
bails out with the error "Failed to retrieve encryption type DES cbc
mode with CRC-32 (#1)" .
The output below is the debug output:

[root@apa01-tst ~]# ipa-client-install -d --domain=example.com
<http://example.com> --mkhomedir -w otpass --realm=EXAMPLE.COM
<http://EXAMPLE.COM>  --ntp-server=ns01.example.com
<http://ns01.example.com>   --unattended
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'example.com
<http://example.com>', 'uninstall': False, 'force': False, 'sssd': True,
'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'mkhomedir': True,
'dns_updates': False, 'preserve_sssd': False, 'debug': True,
'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM
<http://EXAMPLE.COM>', 'unattended': True, 'ntp_server':
'ns01.example.com <http://ns01.example.com>', 'principal': None}
root        : DEBUG    missing options might be asked for interactively
later

root        : DEBUG    Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [IPA Discovery]
root        : DEBUG    Starting IPA discovery with domain=example.com
<http://example.com>, servers=None,
hostname=apa01-tst.chn1.oob.example.com
<http://apa01-tst.chn1.oob.example.com>
root        : DEBUG    Search for LDAP SRV record in example.com
<http://example.com>
root        : DEBUG    [ipadnssearchldap]
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Verifying that auth01.example.com
<http://auth01.example.com> (realm EXAMPLE.COM <http://EXAMPLE.COM>) is
an IPA server
root        : DEBUG    Init ldap with: ldap://auth01.example.com:389
<http://auth01.example.com:389>
root        : DEBUG    Search LDAP server for IPA base DN
root        : DEBUG    Check if naming context 'dc=pp,dc=ams' is for IPA
root        : DEBUG    Naming context 'dc=pp,dc=ams' is a valid IPA context
root        : DEBUG    Search for (objectClass=krbRealmContainer) in
dc=pp,dc=ams(sub)
root        : DEBUG    Found: [('cn=EXAMPLE.COM
<http://EXAMPLE.COM>,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees':
['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM <http://EXAMPLE.COM>'],
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass':
['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope':
['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife':
['86400'], 'krbMaxRenewableAge': ['604800']})]
root        : DEBUG    Discovery result: Success;
server=auth01.example.com <http://auth01.example.com>,
domain=example.com <http://example.com>, kdc=auth01.example.com
<http://auth01.example.com>, basedn=dc=pp,dc=ams
root        : DEBUG    Validated servers: auth01.example.com
<http://auth01.example.com>
root        : DEBUG    will use domain: example.com <http://example.com>

root        : DEBUG    [ipadnssearchldap(example.com <http://example.com>)]
root        : DEBUG    DNS validated, enabling discovery
root        : DEBUG    will use discovered server: auth01.example.com
<http://auth01.example.com>
Discovery was successful!
root        : DEBUG    will use cli_realm: EXAMPLE.COM <http://EXAMPLE.COM>

root        : DEBUG    will use cli_basedn: dc=pp,dc=ams

Hostname: apa01-tst.chn1.oob.example.com
<http://apa01-tst.chn1.oob.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: auth01.example.com <http://auth01.example.com>
BaseDN: dc=pp,dc=ams


Synchronizing time with KDC...
root        : DEBUG    args=/usr/sbin/ntpdate -U ntp -s -b
auth01.example.com <http://auth01.example.com>
root        : DEBUG    stdout=
root        : DEBUG    stderr=
root        : DEBUG    Writing Kerberos configuration to /tmp/tmpM19nuR:
#File modified by ipa-client-install

[libdefaults]
   default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
   dns_lookup_realm = false
   dns_lookup_kdc = false
   rdns = false
   ticket_lifetime = 24h
   forwardable = yes

[realms]
EXAMPLE.COM <http://EXAMPLE.COM> = {
     kdc = auth01.example.com:88 <http://auth01.example.com:88>
     master_kdc = auth01.example.com:88 <http://auth01.example.com:88>
     admin_server = auth01.example.com:749 <http://auth01.example.com:749>
     default_domain = example.com <http://example.com>
     pkinit_anchors = FILE:/etc/ipa/ca.crt
   }

[domain_realm]
   .example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>


root        : INFO     OTP case, CA cert preexisted, use it
root        : DEBUG    args=/usr/sbin/ipa-join -s auth01.example.com
<http://auth01.example.com> -b dc=pp,dc=ams -d -w XXXXXXXX
root        : DEBUG    stdout=
root        : DEBUG    stderr=request done: ld 0x172d1d10 msgid 1
request done: ld 0x172d1d10 msgid 2
request done: ld 0x172d1d10 msgid 3
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=EXAMPLE.COM <http://EXAMPLE.COM>

Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
root        : DEBUG    args=/usr/kerberos/bin/kinit -k -t
/etc/krb5.keytab host/apa01-tst.chn1.oob.example....@example.com
<mailto:apa01-tst.chn1.oob.example....@example.com>
root        : DEBUG    stdout=
root        : DEBUG    stderr=kinit(v5): Password incorrect while
getting initial credentials

Failed to obtain host TGT.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

I don't think this is related to the DES failure, it just means that the KDC doesn't issue DES keys (a good thing).

What keys are in the keytab and why errors are logged in the KDC when this kinit fails?

What is the rpm version of ipa-client?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to