> On Fri, 05 Jun 2015, Nathan Peters wrote:
>>I had originally set this up with AD trust but when we found out that
>>our alternative UPNs were not supported we switched to ad sync.  I
>>removed the trust relationship from the webui by deleting all trusts
>>showing in the ui.
>>
>>I then set it up for sync.
>>
>>Do I need to remove the trust from the command line as well?  Does
>>deleting a trust in the web ui not remove *all* settings related to
>>that trust?
> No, it removes the trust the same way.
>
> However, do you have anything in /var/log/krb5kdc.log which points to
> SID filtering or a crash?
>
> --
> / Alexander Bokovoy
>

I have searched the entire /var/log/krb5kdc.log for the last week and
there is nothing matching "sid" or "SID" in that file.

Here are the only relevant errors I could find in krb5kdc.log (filtered to
remove duplicate entries)

Jun 04 23:06:43 dc1.ipadomain.net krb5kdc[1845](Error): preauth pkinit
failed to initialize: No realms configured correctly for pkinit support
Jun 04 23:08:24 dc1.ipadomain.net krb5kdc[1848](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'
Jun 04 23:08:24 dc1.ipadomain.net krb5kdc[1848](info): TGS_REQ (5 etypes
{18 17 23 24 -135}) 10.5.5.57: PROCESS_TGS: authtime 0,  <unknown client>
for HTTP/dc1.ipadomain.net
@ipadomain.net, Server not found in Kerberos database

And here are some things from /var/log/dirsrv logs

Jun 06 00:44:10 dc1.ipadomain.net krb5kdc[11447](Error): preauth pkinit
failed to initialize: No realms configured correctly for pkinit support
Jun 06 02:53:52 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'
Jun 06 04:14:17 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'
Jun 06 11:54:37 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'
Jun 06 13:46:07 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'
Jun 06 13:50:52 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'
Jun 06 18:38:18 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'
Jun 06 21:59:10 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN
SERVER: server='krbtgt/ipadomain....@office.addomain.net'

So it appears that even though I removed the trust and rebooted both
servers, there is still some remnant of it sticking around somewhere.

The krb5kdc logs seem to indicate that we are still trying to get a shared
ticket for the AD realm?

The dirsrv logs also seem to point to trying to get a ticket for that
realm also.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to