Hi Rob Ipa client version is :ipa-client-2.1.3-7.el5
[root@apa01-tst ~]# klist -kte /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 03/11/14 15:55:02 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 03/11/14 15:55:02 host/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 03/11/14 15:55:02 host/[email protected] (Triple DES cbc mode with HMAC/sha1) 2 03/11/14 15:55:02 host/[email protected] (ArcFour with HMAC/md5) this is what shows up in the logfile krb5kdc.log on the KDC Mar 11 15:55:02 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/ [email protected] for krbtgt/ [email protected], Additional pre-authentication required Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for krbtgt/[email protected] Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for HTTP/[email protected] Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes {18}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for krbtgt/ [email protected] Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes {18}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for krbtgt/ [email protected] Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.132.21: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for ldap/[email protected] Mar 11 15:55:03 auth01.example.com krb5kdc[16847](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/ [email protected] for krbtgt/ [email protected], Additional pre-authentication required Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549703, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for krbtgt/[email protected] Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549703, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for HTTP/[email protected] Mar 11 15:55:03 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes {18}) 10.63.130.33: ISSUE: authtime 1394549703, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for krbtgt/ [email protected] Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.132.21: ISSUE: authtime 1394549703, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for ldap/[email protected] Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/ [email protected] for krbtgt/ [email protected], Additional pre-authentication required Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549704, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for krbtgt/[email protected] Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549704, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for ldap/[email protected] Cheers, Patrick On Tue, Mar 11, 2014 at 2:00 PM, Rob Crittenden <[email protected]> wrote: > Patrick de Ruiter wrote: > >> When I want to enroll en new machine the ipa-client-install process >> bails out with the error "Failed to retrieve encryption type DES cbc >> mode with CRC-32 (#1)" . >> The output below is the debug output: >> >> [root@apa01-tst ~]# ipa-client-install -d --domain=example.com >> <http://example.com> --mkhomedir -w otpass --realm=EXAMPLE.COM >> <http://EXAMPLE.COM> --ntp-server=ns01.example.com >> <http://ns01.example.com> --unattended >> >> root : DEBUG /usr/sbin/ipa-client-install was invoked with >> options: {'conf_ntp': True, 'domain': 'example.com >> <http://example.com>', 'uninstall': False, 'force': False, 'sssd': True, >> >> 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, >> 'server': None, 'prompt_password': False, 'mkhomedir': True, >> 'dns_updates': False, 'preserve_sssd': False, 'debug': True, >> 'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM >> <http://EXAMPLE.COM>', 'unattended': True, 'ntp_server': >> 'ns01.example.com <http://ns01.example.com>', 'principal': None} >> >> root : DEBUG missing options might be asked for interactively >> later >> >> root : DEBUG Loading Index file from >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> root : DEBUG Loading StateFile from >> '/var/lib/ipa-client/sysrestore/sysrestore.state' >> root : DEBUG [IPA Discovery] >> root : DEBUG Starting IPA discovery with domain=example.com >> <http://example.com>, servers=None, >> hostname=apa01-tst.chn1.oob.example.com >> <http://apa01-tst.chn1.oob.example.com> >> >> root : DEBUG Search for LDAP SRV record in example.com >> <http://example.com> >> >> root : DEBUG [ipadnssearchldap] >> root : DEBUG [ipadnssearchkrb] >> root : DEBUG [ipacheckldap] >> root : DEBUG Verifying that auth01.example.com >> <http://auth01.example.com> (realm EXAMPLE.COM <http://EXAMPLE.COM>) is >> >> an IPA server >> root : DEBUG Init ldap with: ldap://auth01.example.com:389 >> <http://auth01.example.com:389> >> >> root : DEBUG Search LDAP server for IPA base DN >> root : DEBUG Check if naming context 'dc=pp,dc=ams' is for IPA >> root : DEBUG Naming context 'dc=pp,dc=ams' is a valid IPA >> context >> root : DEBUG Search for (objectClass=krbRealmContainer) in >> dc=pp,dc=ams(sub) >> root : DEBUG Found: [('cn=EXAMPLE.COM >> <http://EXAMPLE.COM>,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees': >> ['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM <http://EXAMPLE.COM>'], >> >> 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', >> 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': >> ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': >> ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', >> 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', >> 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', >> 'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife': >> ['86400'], 'krbMaxRenewableAge': ['604800']})] >> root : DEBUG Discovery result: Success; >> server=auth01.example.com <http://auth01.example.com>, >> domain=example.com <http://example.com>, kdc=auth01.example.com >> <http://auth01.example.com>, basedn=dc=pp,dc=ams >> >> root : DEBUG Validated servers: auth01.example.com >> <http://auth01.example.com> >> root : DEBUG will use domain: example.com <http://example.com> >> >> root : DEBUG [ipadnssearchldap(example.com <http://example.com >> >)] >> >> root : DEBUG DNS validated, enabling discovery >> root : DEBUG will use discovered server: auth01.example.com >> <http://auth01.example.com> >> Discovery was successful! >> root : DEBUG will use cli_realm: EXAMPLE.COM < >> http://EXAMPLE.COM> >> >> >> root : DEBUG will use cli_basedn: dc=pp,dc=ams >> >> Hostname: apa01-tst.chn1.oob.example.com >> <http://apa01-tst.chn1.oob.example.com> >> Realm: EXAMPLE.COM <http://EXAMPLE.COM> >> DNS Domain: example.com <http://example.com> >> IPA Server: auth01.example.com <http://auth01.example.com> >> >> BaseDN: dc=pp,dc=ams >> >> >> Synchronizing time with KDC... >> root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b >> auth01.example.com <http://auth01.example.com> >> >> root : DEBUG stdout= >> root : DEBUG stderr= >> root : DEBUG Writing Kerberos configuration to /tmp/tmpM19nuR: >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = EXAMPLE.COM <http://EXAMPLE.COM> >> >> dns_lookup_realm = false >> dns_lookup_kdc = false >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> EXAMPLE.COM <http://EXAMPLE.COM> = { >> kdc = auth01.example.com:88 <http://auth01.example.com:88> >> master_kdc = auth01.example.com:88 <http://auth01.example.com:88> >> admin_server = auth01.example.com:749 <http://auth01.example.com:749 >> > >> default_domain = example.com <http://example.com> >> >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> [domain_realm] >> .example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM> >> example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM> >> >> >> >> root : INFO OTP case, CA cert preexisted, use it >> root : DEBUG args=/usr/sbin/ipa-join -s auth01.example.com >> <http://auth01.example.com> -b dc=pp,dc=ams -d -w XXXXXXXX >> >> root : DEBUG stdout= >> root : DEBUG stderr=request done: ld 0x172d1d10 msgid 1 >> request done: ld 0x172d1d10 msgid 2 >> request done: ld 0x172d1d10 msgid 3 >> Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) >> Keytab successfully retrieved and stored in: /etc/krb5.keytab >> Certificate subject base is: O=EXAMPLE.COM <http://EXAMPLE.COM> >> >> Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM> >> >> root : DEBUG args=/usr/kerberos/bin/kinit -k -t >> /etc/krb5.keytab host/[email protected] >> <mailto:[email protected]> >> >> root : DEBUG stdout= >> root : DEBUG stderr=kinit(v5): Password incorrect while >> getting initial credentials >> >> Failed to obtain host TGT. >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> > > I don't think this is related to the DES failure, it just means that the > KDC doesn't issue DES keys (a good thing). > > What keys are in the keytab and why errors are logged in the KDC when this > kinit fails? > > What is the rpm version of ipa-client? > > rob >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
