Re: [Freeipa-users] What is the use of /etc/krb5.conf?
Thanks Martin, and I always forget I can man a conf file. On Tuesday, November 8, 2016 12:09 PM, Martin Babinsky <mbabi...@redhat.com> wrote: On 11/08/2016 05:13 PM, Ask Stack wrote: > I thought /etc/krb5.conf controls which kerberos server the clients talk > to. > > As a test, I removed /etc/krb5.conf and rebooted the client. After > reboot, I can still log in and "kinit user" . > Removing /etc/krb5.keytab, however would stop user from logging in and > sssd to start. > > > /etc/krb5.conf configures Kerberos client library: it instructs the client about which realm it should use, whether to use dns discovery or use static list of KDC and mapping between DNS domains and realms. Read `man krb5.conf' for more info. sssd stores plenty of information about Kerberos realm in its own configuration (realm, DNS discovery etc.) so it can authenticate the user even without valid krb5.conf (as you observed). However, to pull in user info from authoritative source (IPA LDAP), sssd authenticates against IPA as the host principal using /etc/krb5.keytab, that's why it stopped working and refused to start after you removed it. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] What is the use of /etc/krb5.conf?
I thought /etc/krb5.conf controls which kerberos server the clients talk to. As a test, I removed /etc/krb5.conf and rebooted the client. After reboot, I can still log in and "kinit user" . Removing /etc/krb5.keytab, however would stop user from logging in and sssd to start. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] /etc/ipa/default.conf on clients
Thank you, Martin. On Thursday, November 3, 2016 4:12 AM, Martin Basti <mba...@redhat.com> wrote: On 02.11.2016 20:07, Ask Stack wrote: I need to migrate ipa server from host rhel6.local to host rhel7.local and retire host rhel6.local . For the existing clients, do I need to change /etc/ipa/default.conf ? Do I even need this file if sssd is working on the clients? Thanks. The current default.conf has two lines pointing to rhel6.local. #File modified by ipa-client-install [global] basedn = realm = domain = server = rhel6.local xmlrpc_uri = https://rhel6.local/ipa/xml enable_ra = True Hello, this file is required for `ipa` commands on client Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] /etc/ipa/default.conf on clients
I need to migrate ipa server from host rhel6.local to host rhel7.local and retire host rhel6.local . For the existing clients, do I need to change /etc/ipa/default.conf ? Do I even need this file if sssd is working on the clients?Thanks. The current default.conf has two lines pointing to rhel6.local. #File modified by ipa-client-install [global] basedn = realm = domain = server = rhel6.local xmlrpc_uri = https://rhel6.local/ipa/xml enable_ra = True -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab
Thank you. On Tuesday, May 24, 2016 9:56 AM, Rob Crittenden <rcrit...@redhat.com> wrote: Ask Stack wrote: > Sorry for asking the dumb question again. Where are the 389-ds logs? I > can't find them in /var/log/ . /var/log/dirsrv/slapd-REALM What you'll want to look for is the BIND from the client and all results for that connection. The errors log tends to just log critical problems so it may not have much. rob > > > On Monday, May 23, 2016 5:10 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > > Ask Stack wrote: > > Rob > > Thanks for the reply. > > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and > > errors and /var/log/krb5kdc.log > > Do you know which service is responsible for providing > > "/etc/krb5.keytab" to the client? > > It uses an LDAP extended operation so 389-ds. Any errors would be in the > KDC log or, more likely, in the 389-ds logs. > > rob > > > > > > On Monday, May 23, 2016 2:57 PM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > > > > > Ask Stack wrote: > > > > > My company's ipa-client-install fail very often. Debug logs show the > > > process always failed at getting the /etc/krb5.keytab . > > > Is there a way to modify the script to increase number of attempts to > > > create /etc/krb5.keytab ? > > > > > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to > obtain > > > host TGT (defaults to 5)." But it comes after setting up the > > > "/etc/krb5.keytab" file. > > > Thanks. > > > > > > server > > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > > > > > cleint > > > ipa-client-3.0.0-47.el6_7.2.x86_64 > > > ipa-client-3.0.0-50.el6.1.x86_64 > > > > > > > > > #SUCCESSFUL ATTEMPT > > > > > > \n > > > \n > > > \n > > > \n > > > \n > > > \n > > > > > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > > Certificate subject base is: O=TEST.COM > > > > > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > > > 2016-05-23T14:40:49Z DEBUG args=kdestroy > > > 2016-05-23T14:40:49Z DEBUG stdout= > > > 2016-05-23T14:40:49Z DEBUG stderr= > > > > > > > > > > > > #FAILED ATTEMPT > > > > > > \n > > > \n > > > \n > > > \n > > > \n > > > \n > > > > > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > > > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > > > Certificate subject base is: O=TEST.COM > > > > > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > > > 2016-05-23T14:37:08Z DEBUG args=kdestroy > > > 2016-05-23T14:37:08Z DEBUG stdout= > > > 2016-05-23T14:37:08Z DEBUG stderr= > > > > > > There is no retry capability and in some cases would be impossible to > > add (the one-time password case). Can you check /var/log/krb5kdc on the > > IPA master it connected to, and the 389-ds access and errors logs as > > well. Perhaps one of those will have more information on why things > failed. > > > > rob > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab
Sorry for asking the dumb question again. Where are the 389-ds logs? I can't find them in /var/log/ . On Monday, May 23, 2016 5:10 PM, Rob Crittenden <rcrit...@redhat.com> wrote: Ask Stack wrote: > Rob > Thanks for the reply. > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and > errors and /var/log/krb5kdc.log > Do you know which service is responsible for providing > "/etc/krb5.keytab" to the client? It uses an LDAP extended operation so 389-ds. Any errors would be in the KDC log or, more likely, in the 389-ds logs. rob > > On Monday, May 23, 2016 2:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > > Ask Stack wrote: > > > My company's ipa-client-install fail very often. Debug logs show the > > process always failed at getting the /etc/krb5.keytab . > > Is there a way to modify the script to increase number of attempts to > > create /etc/krb5.keytab ? > > > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain > > host TGT (defaults to 5)." But it comes after setting up the > > "/etc/krb5.keytab" file. > > Thanks. > > > > server > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > > > cleint > > ipa-client-3.0.0-47.el6_7.2.x86_64 > > ipa-client-3.0.0-50.el6.1.x86_64 > > > > > > #SUCCESSFUL ATTEMPT > > > > \n > > \n > > \n > > \n > > \n > > \n > > > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > Certificate subject base is: O=TEST.COM > > > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > > 2016-05-23T14:40:49Z DEBUG args=kdestroy > > 2016-05-23T14:40:49Z DEBUG stdout= > > 2016-05-23T14:40:49Z DEBUG stderr= > > > > > > > > #FAILED ATTEMPT > > > > \n > > \n > > \n > > \n > > \n > > \n > > > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > > Certificate subject base is: O=TEST.COM > > > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > > 2016-05-23T14:37:08Z DEBUG args=kdestroy > > 2016-05-23T14:37:08Z DEBUG stdout= > > 2016-05-23T14:37:08Z DEBUG stderr= > > > There is no retry capability and in some cases would be impossible to > add (the one-time password case). Can you check /var/log/krb5kdc on the > IPA master it connected to, and the 389-ds access and errors logs as > well. Perhaps one of those will have more information on why things failed. > > rob > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab
RobThanks for the reply. I didn't find anything obvious in /var/log/dirsrv/slapd-/access and errors and /var/log/krb5kdc.log Do you know which service is responsible for providing "/etc/krb5.keytab" to the client? On Monday, May 23, 2016 2:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote: Ask Stack wrote: > My company's ipa-client-install fail very often. Debug logs show the > process always failed at getting the /etc/krb5.keytab . > Is there a way to modify the script to increase number of attempts to > create /etc/krb5.keytab ? > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain > host TGT (defaults to 5)." But it comes after setting up the > "/etc/krb5.keytab" file. > Thanks. > > server > ipa-server-3.0.0-47.el6_7.1.x86_64 > > cleint > ipa-client-3.0.0-47.el6_7.2.x86_64 > ipa-client-3.0.0-50.el6.1.x86_64 > > > #SUCCESSFUL ATTEMPT > > \n > \n > \n > \n > \n > \n > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > Certificate subject base is: O=TEST.COM > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > 2016-05-23T14:40:49Z DEBUG args=kdestroy > 2016-05-23T14:40:49Z DEBUG stdout= > 2016-05-23T14:40:49Z DEBUG stderr= > > > > #FAILED ATTEMPT > > \n > \n > \n > \n > \n > \n > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > Certificate subject base is: O=TEST.COM > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > 2016-05-23T14:37:08Z DEBUG args=kdestroy > 2016-05-23T14:37:08Z DEBUG stdout= > 2016-05-23T14:37:08Z DEBUG stderr= There is no retry capability and in some cases would be impossible to add (the one-time password case). Can you check /var/log/krb5kdc on the IPA master it connected to, and the 389-ds access and errors logs as well. Perhaps one of those will have more information on why things failed. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] increase the number of attempts to create /etc/krb5.keytab
My company's ipa-client-install fail very often. Debug logs show the process always failed at getting the /etc/krb5.keytab . Is there a way to modify the script to increase number of attempts to create /etc/krb5.keytab ? I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain host TGT (defaults to 5)." But it comes after setting up the "/etc/krb5.keytab" file. Thanks. server ipa-server-3.0.0-47.el6_7.1.x86_64 cleint ipa-client-3.0.0-47.el6_7.2.x86_64 ipa-client-3.0.0-50.el6.1.x86_64 #SUCCESSFUL ATTEMPT \n \n \n \n \n \n Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=TEST.COM 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM 2016-05-23T14:40:49Z DEBUG args=kdestroy 2016-05-23T14:40:49Z DEBUG stdout= 2016-05-23T14:40:49Z DEBUG stderr= #FAILED ATTEMPT \n \n \n \n \n \n ipa-getkeytab: ../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. Certificate subject base is: O=TEST.COM 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM 2016-05-23T14:37:08Z DEBUG args=kdestroy 2016-05-23T14:37:08Z DEBUG stdout= 2016-05-23T14:37:08Z DEBUG stderr= -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.
MartinThanks for the reply. tail -f /var/log/krb5kdc.log | grep client1.example.com had nothing during a failed ipa client install and plenty activities during a good install. And sorry, I missed a big piece of information. Debug log showed ipa-getkeytab: ../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. Basically /etc/krb5.keytab didn't get created. I always wonder why we needed "-ca-cert-file=/etc/ipa/ca.crt", so I ran the ipa-client-install without it. I tested install twenty times and no failure. ca.crt I provide and ipa-client-install downloaded are identical. On Friday, April 22, 2016 3:09 AM, Martin Babinsky <mbabi...@redhat.com> wrote: On 04/21/2016 11:14 PM, Ask Stack wrote: > Half the time ipa-client-install will fail at getting the TGT. Google > showed posts like, Bug 845691 – ipa-client-install Failed to obtain host > TGT <https://bugzilla.redhat.com/show_bug.cgi?id=845691>. I reduced > _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' > '_kerberos._udp' to one server entry only. But it didn't help to reduce > the failure rate. Thanks for your help. > > > cleint > ipa-client-3.0.0-47.el6_7.2.x86_64 > > server > ipa-server-3.0.0-47.el6_7.1.x86_64 > > ipa-client-install --hostname=client1.example.com > --server=ipa-server.example.com --domain=example.com -N --mkhomedir > --unattended -p ipa...@example.com -w 'password1' > --ca-cert-file=/etc/ipa/ca.crt -d > ... > ... > Enrolled in IPA realm EXAMPLE.COM > args=kdestroy > stdout= > stderr= > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example@example.com > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > Failed to obtain host TGT. > > > > > > Hello, can you please provide KDC log from the server you are enrolling against? IIRC it should be in /var/log/krb5kdc.log -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Client enrolled but failed to obtain host TGT.
Half the time ipa-client-install will fail at getting the TGT. Google showed posts like, Bug 845691 – ipa-client-install Failed to obtain host TGT. I reduced _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' to one server entry only. But it didn't help to reduce the failure rate. Thanks for your help. cleintipa-client-3.0.0-47.el6_7.2.x86_64 serveripa-server-3.0.0-47.el6_7.1.x86_64 ipa-client-install --hostname=client1.example.com --server=ipa-server.example.com --domain=example.com -N --mkhomedir --unattended -p ipa...@example.com -w 'password1' --ca-cert-file=/etc/ipa/ca.crt -d..Enrolled in IPA realm EXAMPLE.COMargs=kdestroystdout=stderr=args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com@EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials Failed to obtain host TGT. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project