[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)
we have temporarily canceled the cockpit deployment and retrieved a freeipa backup to recover the normal state while we understand how to make freeipa and cockpit work together Thanks for your help Rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)
Phinees Garandi via FreeIPA-users wrote: > For your question : Is there a reason you are forcing domain, realm and > server? > > I have to provides server and realm as discovery never readlly worked. > > Indeed DNS seems to be ok regarding below commands > > [root@test ~]# host -t SRV _kerberos._udp.toto.fr > _kerberos._udp.toto.fr has SRV record 0 100 88 ipa.toto.fr. > [root@test ~]# host -t SRV _kerberos._tcp.toto.fr > _kerberos._tcp.toto.fr has SRV record 0 100 88 ipa.toto.fr. > [root@test ~]# host -t SRV _ldap._tcp.toto.fr > _ldap._tcp.toto.fr has SRV record 0 100 389 ipa.toto.fr.` > > but freeipa-client-install fail in dicovery mode > ` The sort of thing we'd need to see the logs for, or you can dig thru it yourself. They are pretty verbose when it comes to discovery. It should tell you what it's missing. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)
The server returned a 401 to the authentication request. You'll want to look in the apache error log file on the IPA server to see if that holds any clues. rob Phinees Garandi via FreeIPA-users wrote: > Hello Rob, > > I also tested using the --force flag the output is the same > > this is the content of /var/log/ipaclient-install > > `2021-12-02T15:31:13Z DEBUG Logging to /var/log/ipaclient-install.log > 2021-12-02T15:31:13Z DEBUG ipa-client-install was invoked with arguments [] > and options: {'unattended': False, 'principal': 'admin', 'prompt_password': > False, 'on_master': False, 'ca_cert_files': None, ' > force': True, 'configure_firefox': True, 'firefox_dir': None, 'keytab': None, > 'mkhomedir': True, 'force_join': False, 'ntp_servers': ['ipa.toto.fr'], > 'ntp_pool': None, 'no_ntp': False, 'force > _ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': > True, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': > False, 'kinit_attempts': None, 'request_cert': False, > 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, > 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': > False, 'preserve_sssd': False, 'automount_location': No > ne, 'domain_name': 'toto.fr', 'servers': ['ipa.toto.fr'], 'realm_name': > 'toto.FR', 'host_name': 'slurm-nfs.toto.fr', 'verbose': False, 'quiet': > False, 'log > _file': None, 'uninstall': False} > 2021-12-02T15:31:13Z DEBUG IPA version 4.9.6-6.module+el8.5.0+674+69615a50 > 2021-12-02T15:31:13Z DEBUG IPA platform rhel > 2021-12-02T15:31:13Z DEBUG IPA os-release Rocky Linux 8.4 (Green Obsidian) > 2021-12-02T15:31:13Z DEBUG Starting external process > 2021-12-02T15:31:13Z DEBUG args=['/usr/sbin/selinuxenabled'] > 2021-12-02T15:31:13Z DEBUG Process finished, return code=0 > 2021-12-02T15:31:13Z DEBUG stdout= > 2021-12-02T15:31:13Z DEBUG stderr= > 2021-12-02T15:31:13Z DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2021-12-02T15:31:13Z DEBUG Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > 2021-12-02T15:31:13Z DEBUG Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > 2021-12-02T15:31:13Z DEBUG Starting external process > 2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-enabled', > 'ntpd.service'] > 2021-12-02T15:31:13Z DEBUG Process finished, return code=1 > 2021-12-02T15:31:13Z DEBUG stdout= > 2021-12-02T15:31:13Z DEBUG stderr=Failed to get unit file state for > ntpd.service: No such file or directory > > 2021-12-02T15:31:13Z DEBUG Starting external process > 2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-active', > 'ntpd.service'] > 2021-12-02T15:31:13Z DEBUG Process finished, return code=3 > 2021-12-02T15:31:13Z DEBUG stdout=inactive > > 2021-12-02T15:31:13Z DEBUG stderr= > 2021-12-02T15:31:13Z DEBUG Starting external process > 2021-12-02T15:31:13Z DEBUG args=['sudo', '-V'] > 2021-12-02T15:31:13Z DEBUG Process finished, return code=0 > 2021-12-02T15:31:13Z DEBUG stdout=Sudo version 1.8.29 > Options de configuration : --build=x86_64-redhat-linux-gnu > --host=x86_64-redhat-linux-gnu --program-prefix= > --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr > --bindir=/usr/bin --sbindir=/usr > /sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include > --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var > --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/ > share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 > --docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog > --with-logfac=authpriv --with-pam --with-pam-login --with-editor= > /bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap > --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux > --with-passprompt=[sudo] password for %p: --with-linux-audit --with-ss > sd > La version du greffon de politique de sudoers est 1.8.29 > La version de la grammaire du fichier sudoers est 46 > > Chemin d'accès à sudoers : /etc/sudoers > chemin d'accès à nsswitch : /etc/nsswitch.conf > chemin d'accès à ldap.conf : /etc/sudo-ldap.conf > chemin d'accès à ldap.secret : /etc/ldap.secret > Méthodes d'authentification : 'pam' > Mécanisme syslog si syslog est utilisé pour la journalisation des événements > : authpriv > Priorité syslog utilisée lorsque l'authentification de l'utilisateur est > réussie : notice > Priorité Syslog utilisée lorsque l'authentification de l'utilisateur a échoué > : alert > Ne pas tenir compte de « . » dans $PATH > Envoi d'un courriel si l'utilisateur ne figure pas dans sudoers > Adresse les recommandations d'usage à l'utilisateur lors de la première > exécution de sudo > Exige l'authentification de l'utilisateur par défaut > L'utilisateur root peut exécuter sudo > Assignation systématique du répertoire personnel de l'utilisateur cible dans > $HOME > Autorise la collecte de certaines informations
[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)
For your question : Is there a reason you are forcing domain, realm and server? I have to provides server and realm as discovery never readlly worked. Indeed DNS seems to be ok regarding below commands [root@test ~]# host -t SRV _kerberos._udp.toto.fr _kerberos._udp.toto.fr has SRV record 0 100 88 ipa.toto.fr. [root@test ~]# host -t SRV _kerberos._tcp.toto.fr _kerberos._tcp.toto.fr has SRV record 0 100 88 ipa.toto.fr. [root@test ~]# host -t SRV _ldap._tcp.toto.fr _ldap._tcp.toto.fr has SRV record 0 100 389 ipa.toto.fr.` but freeipa-client-install fail in dicovery mode ` ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)
Hello Rob, I also tested using the --force flag the output is the same this is the content of /var/log/ipaclient-install `2021-12-02T15:31:13Z DEBUG Logging to /var/log/ipaclient-install.log 2021-12-02T15:31:13Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': 'admin', 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, ' force': True, 'configure_firefox': True, 'firefox_dir': None, 'keytab': None, 'mkhomedir': True, 'force_join': False, 'ntp_servers': ['ipa.toto.fr'], 'ntp_pool': None, 'no_ntp': False, 'force _ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': True, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'automount_location': No ne, 'domain_name': 'toto.fr', 'servers': ['ipa.toto.fr'], 'realm_name': 'toto.FR', 'host_name': 'slurm-nfs.toto.fr', 'verbose': False, 'quiet': False, 'log _file': None, 'uninstall': False} 2021-12-02T15:31:13Z DEBUG IPA version 4.9.6-6.module+el8.5.0+674+69615a50 2021-12-02T15:31:13Z DEBUG IPA platform rhel 2021-12-02T15:31:13Z DEBUG IPA os-release Rocky Linux 8.4 (Green Obsidian) 2021-12-02T15:31:13Z DEBUG Starting external process 2021-12-02T15:31:13Z DEBUG args=['/usr/sbin/selinuxenabled'] 2021-12-02T15:31:13Z DEBUG Process finished, return code=0 2021-12-02T15:31:13Z DEBUG stdout= 2021-12-02T15:31:13Z DEBUG stderr= 2021-12-02T15:31:13Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2021-12-02T15:31:13Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-12-02T15:31:13Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2021-12-02T15:31:13Z DEBUG Starting external process 2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-enabled', 'ntpd.service'] 2021-12-02T15:31:13Z DEBUG Process finished, return code=1 2021-12-02T15:31:13Z DEBUG stdout= 2021-12-02T15:31:13Z DEBUG stderr=Failed to get unit file state for ntpd.service: No such file or directory 2021-12-02T15:31:13Z DEBUG Starting external process 2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-active', 'ntpd.service'] 2021-12-02T15:31:13Z DEBUG Process finished, return code=3 2021-12-02T15:31:13Z DEBUG stdout=inactive 2021-12-02T15:31:13Z DEBUG stderr= 2021-12-02T15:31:13Z DEBUG Starting external process 2021-12-02T15:31:13Z DEBUG args=['sudo', '-V'] 2021-12-02T15:31:13Z DEBUG Process finished, return code=0 2021-12-02T15:31:13Z DEBUG stdout=Sudo version 1.8.29 Options de configuration : --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr /sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/ share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor= /bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p: --with-linux-audit --with-ss sd La version du greffon de politique de sudoers est 1.8.29 La version de la grammaire du fichier sudoers est 46 Chemin d'accès à sudoers : /etc/sudoers chemin d'accès à nsswitch : /etc/nsswitch.conf chemin d'accès à ldap.conf : /etc/sudo-ldap.conf chemin d'accès à ldap.secret : /etc/ldap.secret Méthodes d'authentification : 'pam' Mécanisme syslog si syslog est utilisé pour la journalisation des événements : authpriv Priorité syslog utilisée lorsque l'authentification de l'utilisateur est réussie : notice Priorité Syslog utilisée lorsque l'authentification de l'utilisateur a échoué : alert Ne pas tenir compte de « . » dans $PATH Envoi d'un courriel si l'utilisateur ne figure pas dans sudoers Adresse les recommandations d'usage à l'utilisateur lors de la première exécution de sudo Exige l'authentification de l'utilisateur par défaut L'utilisateur root peut exécuter sudo Assignation systématique du répertoire personnel de l'utilisateur cible dans $HOME Autorise la collecte de certaines informations dans le but d'afficher des messages d'erreurs pertinents Visudo se conformera au contenu de la variable d'environnement EDITOR Définir les variables d'environnement LOGNAME et USER Longueur après laquelle intercaler un retour à la ligne dans le fichier journal (0 indique qu'il n'y a pas de retour à la ligne) : 80 Délai d'expiration de l'horodatage de l'authentification : 5,0 minutes
[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)
Important detail I installed cockpit "https://cockpit-project.org/; and it was after that I had the bug. I don't know if the cockpit installation had an impact ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)
Phinees Garandi via FreeIPA-users wrote: > Hello everyone > > I encountered a bug while installing freeipa client. > > the command fail and I have this as an error message : > > `Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working properly > after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor > code may provide more information, Minor (2529639107): No credentials cache > found > Installation failed. Force set so not rolling back changes.` > > > This is my command : > > ipa-client-install \ > --mkhomedir \ > --ntp-server=my-ntp-server \ > --server=my-ipa-server \ > --domain=my-domain \ > --realm=MYREALM \ > --principal my-user \ > --ssh-trust-dns \ > --hostname=my-hostname > > thank you so much for your help. We'd need to see the full /var/log/ipaclient-install to know what is going on. Or you can look at it. The installer creates a temporary krb5.conf to be used to verify the remote server and do the initial setup. You may want to manually create a similar config file and see if you can get a ticket. Is there a reason you are forcing domain, realm and server? You must have also used the --force flag to get the message "Force set so not rolling back changes." rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
lejeczek via FreeIPA-users wrote: > > > On 06/01/18 19:51, lejeczek via FreeIPA-users wrote: >> Failed to obtain host TGT: Major (851968): Unspecified GSS failure. >> Minor code may provide more information, Minor (2529638936): >> Preauthentication failed > > hi guys, > I hit that error again. What I noticed is > - on that candidate client when I changed resolver to look only at > 127.0.0.1(which was not running) and used --server & --domain (thus > essentially no dns) then client installation succeeded. > Would that be just a coincidence and DNS plays no role at this stage? What I would recommend doing is leave DNS enabled and wait for a failed enrollment and see what master it is enrolling against. That should help narrow things down, especially if the failing master does not match the one you can force success with. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
On 06/01/18 19:51, lejeczek via FreeIPA-users wrote: Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed hi guys, I hit that error again. What I noticed is - on that candidate client when I changed resolver to look only at 127.0.0.1(which was not running) and used --server & --domain (thus essentially no dns) then client installation succeeded. Would that be just a coincidence and DNS plays no role at this stage? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
lejeczek via FreeIPA-userswrites: > On 08/01/18 08:46, Florence Blanc-Renaud wrote: >> On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote: >>> >>> $ ipa-client-install --no-ntp --force-join >>> Discovery was successful! >>> ... >>> Also note that following ports are necessary for >>> ipa-client working properly after enrollment: >>> TCP: 464 >>> UDP: 464, 123 (if NTP enabled) >>> Failed to obtain host TGT: Major (851968): Unspecified >>> GSS failure. Minor code may provide more information, >>> Minor (2529638936): Preauthentication failed >>> Installation failed. Rolling back changes. >>> -- end >>> >>> At server's end(one single server in domain): >>> .. >>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560685](info): closing down fd 11 >>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 >>> 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: >>> host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x >>> for >>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, >>> Additional pre-authentication required >>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): closing down fd 11 >>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): preauth (encrypted_timestamp) >>> verify failure: Preauthentication failed >>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 >>> 23 25 26}) 10.5.6.17: PREAUTH_FAILED: >>> host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x >>> for >>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, >>> Preauthentication failed >>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): closing down fd 11 >>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 >>> 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: >>> ad...@private.xx.xx.private.xx.xx.x for >>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, >>> Additional pre-authentication required >>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560681](info): closing down fd 11 >>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 >>> 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes >>> {rep=18 tkt=18 ses=18}, >>> ad...@private.xx.xx.private.xx.xx.x for >>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x >>> >>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): closing down fd 11 >>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 >>> 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes >>> {rep=18 tkt=18 ses=18}, >>> ad...@private.xx.xx.private.xx.xx.x for >>> ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x >>> >>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): closing down fd 11 >>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x >>> krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 >>> 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes >>> {rep=18 tkt=18 ses=18}, >>> ad...@private.xx.xx.private.xx.xx.x for >>> HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x >>> >>> -- end >>> >>> But after many tries(randomly) suddenly it would succeed. >>> Client said to use --force-join. >>> VERSION: 4.5.0, API_VERSION: 2.228 >> >> what is the content of /etc/krb5.conf on your client? Does >> it contain "includedir /etc/krb5.conf.d/" and if it is the >> case, what is the content of the included files? >> >> During the client installation, a temp krb5.conf is >> created and also contains "includedir /etc/krb5.conf.d/". >> If there are snippets in this directory which define >> parameters for the IPA realm, then the parameters might be >> conflicting with the ones needed by the installer. > > I try to make sure that I do clean re-install, thus I do first: > > $ yum remove -y `rpm -qa ipa* 389*` pki-base krb5-pkinit > krb5-server krb5-workstation ipa-python certmonger > > then I install IPA, at this point there is already a > /etc/krb5.conf.d/ipa-certauth created, before any -install > is run, but there is no "include" in /etc/krb5.conf. Oh, this is RHEL-7.4? The missing `includedir` is https://bugzilla.redhat.com/show_bug.cgi?id=1431198 then. You can try adding to the top of /etc/krb5.conf: includedir /etc/krb5.conf.d and see if it succeeds, but I don't think it'll make a difference. > In /etc/krb5.conf.d/ipa-certauth > > [plugins] > certauth = { > module = ipakdb:kdb/ipadb.so > enable_only = ipakdb > } > > So, should I remove that /etc/krb5.conf.d/ipa-certauth > before client installation? > I did, even then client installation fails the same way. > Like I said(maybe most importantly),
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
On 08/01/18 22:46, Robbie Harwood wrote: lejeczek via FreeIPA-userswrites: $ ipa-client-install --no-ntp --force-join krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed But after many tries(randomly) suddenly it would succeed. Do the clocks match on the client and server? Thanks, --Robbie Clocks are synced yet server' kerberos keeps logging this when client installation fails: ... preauth (encrypted_timestamp) verify failure: Preauthentication failed ... Would be problem with, in kerberos? 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606061](info): closing down fd 11 Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606061](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606061](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Preauthentication failed Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606061](info): closing down fd 11 Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606061](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606061](info): closing down fd 11 Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606060](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606060](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Preauthentication failed Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[606060](info): closing down fd 11 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
On 08/01/18 22:46, Robbie Harwood wrote: lejeczek via FreeIPA-userswrites: $ ipa-client-install --no-ntp --force-join krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed But after many tries(randomly) suddenly it would succeed. Do the clocks match on the client and server? Thanks, --Robbie First thing I checked was the clock - yes. Client log attached in hope it would reveal more. And one more time, server's end, /var/log/krb5kdc.log: Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22663](info): closing down fd 11 Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22665](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22665](info): closing down fd 11 Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22661](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22661](info): closing down fd 11 Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22665](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22665](info): closing down fd 11 Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22661](info): TGS_REQ (1 etypes {18}) 10.5.6.17: ISSUE: authtime 1515524307, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22661](info): closing down fd 11 Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22668](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.32: ISSUE: authtime 1515524307, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22668](info): closing down fd 11 Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22668](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22668](info): closing down fd 11 Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22665](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22665](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Preauthentication failed Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22665](info): closing down fd 11 Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22662](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22662](info): closing down fd 11 Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22661](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22661](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Preauthentication failed Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[22661](info): closing down fd 11 2018-01-09T18:58:18Z DEBUG Logging to /var/log/ipaclient-install.log 2018-01-09T18:58:18Z DEBUG ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': False, 'ip_addresses': None, 'configure_firefox': False, 'realm_name': None, 'force_ntpd': False, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': False, 'principal': 'admin', 'keytab': None, 'no_ntp': False, 'domain_name': None, 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 'kinit_attempts': None, 'ntp_servers':
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
lejeczek via FreeIPA-userswrites: > $ ipa-client-install --no-ntp --force-join > > krb5kdc[1560686](info): preauth (encrypted_timestamp) verify > failure: Preauthentication failed > > But after many tries(randomly) suddenly it would succeed. Do the clocks match on the client and server? Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
On 08/01/18 08:46, Florence Blanc-Renaud wrote: On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote: hi everyone I'm trying a client, when I do: $ ipa-client-install --no-ntp --force-join Discovery was successful! ... Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed Installation failed. Rolling back changes. -- end At server's end(one single server in domain): .. Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560685](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: ad...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x -- end But after many tries(randomly) suddenly it would succeed. Client said to use --force-join. VERSION: 4.5.0, API_VERSION: 2.228 What can a problem? regards, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, what is the content of /etc/krb5.conf on your client? Does it contain "includedir /etc/krb5.conf.d/" and if it is the case, what is the content of the included files? During the client installation, a temp krb5.conf is created and also contains "includedir /etc/krb5.conf.d/". If there are snippets in this directory which define parameters for the IPA realm, then the parameters might be conflicting with the ones needed by the installer. Flo I try to make sure that I do clean re-install, thus I do first: $ yum remove -y `rpm -qa ipa* 389*` pki-base krb5-pkinit krb5-server krb5-workstation ipa-python certmonger then I install IPA, at this point there is already a /etc/krb5.conf.d/ipa-certauth created, before any -install is run, but there is no "include" in /etc/krb5.conf. In /etc/krb5.conf.d/ipa-certauth [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } So, should I remove that /etc/krb5.conf.d/ipa-certauth before client installation? I did, even then client installation fails the same way. Like I said(maybe most importantly), it would suddenly(randomly?) succeed after a number of tries - why? Probably one thing I should mention: I have a IPA domain/realm already on the network. I've set up another separate server(master fist) for the same domain and now I'm trying to install a client to that new "stand-alone" server. (details on reason of doing something this weird I'd not go into just yet) As I understand it, because
[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)
On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote: hi everyone I'm trying a client, when I do: $ ipa-client-install --no-ntp --force-join Discovery was successful! ... Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed Installation failed. Rolling back changes. -- end At server's end(one single server in domain): .. Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560685](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: ad...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, Additional pre-authentication required Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x -- end But after many tries(randomly) suddenly it would succeed. Client said to use --force-join. VERSION: 4.5.0, API_VERSION: 2.228 What can a problem? regards, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, what is the content of /etc/krb5.conf on your client? Does it contain "includedir /etc/krb5.conf.d/" and if it is the case, what is the content of the included files? During the client installation, a temp krb5.conf is created and also contains "includedir /etc/krb5.conf.d/". If there are snippets in this directory which define parameters for the IPA realm, then the parameters might be conflicting with the ones needed by the installer. Flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org