subject:"\[Freeipa\-users\] Re\: ipa\-client\-install \- error \- Failed to obtain host TGT\: Major \(851968\)"

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

2021-12-06 Thread Phinees Garandi via FreeIPA-users

we have temporarily canceled the cockpit deployment and retrieved a freeipa 
backup to recover the normal state while we understand how to make freeipa and 
cockpit work together

Thanks for your help Rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

2021-12-02 Thread Rob Crittenden via FreeIPA-users

Phinees Garandi via FreeIPA-users wrote:
> For your question :  Is there a reason you are forcing domain, realm and 
> server?
> 
> I have to provides server and realm  as discovery never readlly worked.
>   
> Indeed DNS seems to be ok regarding below commands
> 
> [root@test ~]# host -t SRV  _kerberos._udp.toto.fr
> _kerberos._udp.toto.fr has SRV record 0 100 88 ipa.toto.fr.
> [root@test ~]# host -t SRV  _kerberos._tcp.toto.fr
> _kerberos._tcp.toto.fr has SRV record 0 100 88 ipa.toto.fr.
> [root@test ~]# host -t SRV  _ldap._tcp.toto.fr
> _ldap._tcp.toto.fr has SRV record 0 100 389 ipa.toto.fr.`
> 
> but freeipa-client-install fail in dicovery mode
> `

The sort of thing we'd need to see the logs for, or you can dig thru it
yourself. They are pretty verbose when it comes to discovery. It should
tell you what it's missing.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

2021-12-02 Thread Rob Crittenden via FreeIPA-users

The server returned a 401 to the authentication request. You'll want to
look in the apache error log file on the IPA server to see if that holds
any clues.

rob


Phinees Garandi via FreeIPA-users wrote:
> Hello Rob,
> 
> I also tested using the --force flag the output is the same
> 
> this is the content of /var/log/ipaclient-install
> 
> `2021-12-02T15:31:13Z DEBUG Logging to /var/log/ipaclient-install.log
> 2021-12-02T15:31:13Z DEBUG ipa-client-install was invoked with arguments [] 
> and options: {'unattended': False, 'principal': 'admin', 'prompt_password': 
> False, 'on_master': False, 'ca_cert_files': None, '
> force': True, 'configure_firefox': True, 'firefox_dir': None, 'keytab': None, 
> 'mkhomedir': True, 'force_join': False, 'ntp_servers': ['ipa.toto.fr'], 
> 'ntp_pool': None, 'no_ntp': False, 'force
> _ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': 
> True, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': 
> False, 'kinit_attempts': None, 'request_cert': False, 
> 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 
> 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': 
> False, 'preserve_sssd': False, 'automount_location': No
> ne, 'domain_name': 'toto.fr', 'servers': ['ipa.toto.fr'], 'realm_name': 
> 'toto.FR', 'host_name': 'slurm-nfs.toto.fr', 'verbose': False, 'quiet': 
> False, 'log
> _file': None, 'uninstall': False}
> 2021-12-02T15:31:13Z DEBUG IPA version 4.9.6-6.module+el8.5.0+674+69615a50
> 2021-12-02T15:31:13Z DEBUG IPA platform rhel
> 2021-12-02T15:31:13Z DEBUG IPA os-release Rocky Linux 8.4 (Green Obsidian)
> 2021-12-02T15:31:13Z DEBUG Starting external process
> 2021-12-02T15:31:13Z DEBUG args=['/usr/sbin/selinuxenabled']
> 2021-12-02T15:31:13Z DEBUG Process finished, return code=0
> 2021-12-02T15:31:13Z DEBUG stdout=
> 2021-12-02T15:31:13Z DEBUG stderr=
> 2021-12-02T15:31:13Z DEBUG Loading Index file from 
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2021-12-02T15:31:13Z DEBUG Loading StateFile from 
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> 2021-12-02T15:31:13Z DEBUG Loading StateFile from 
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> 2021-12-02T15:31:13Z DEBUG Starting external process
> 2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-enabled', 
> 'ntpd.service']
> 2021-12-02T15:31:13Z DEBUG Process finished, return code=1
> 2021-12-02T15:31:13Z DEBUG stdout=
> 2021-12-02T15:31:13Z DEBUG stderr=Failed to get unit file state for 
> ntpd.service: No such file or directory
> 
> 2021-12-02T15:31:13Z DEBUG Starting external process
> 2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-active', 
> 'ntpd.service']
> 2021-12-02T15:31:13Z DEBUG Process finished, return code=3
> 2021-12-02T15:31:13Z DEBUG stdout=inactive
> 
> 2021-12-02T15:31:13Z DEBUG stderr=
> 2021-12-02T15:31:13Z DEBUG Starting external process
> 2021-12-02T15:31:13Z DEBUG args=['sudo', '-V']
> 2021-12-02T15:31:13Z DEBUG Process finished, return code=0
> 2021-12-02T15:31:13Z DEBUG stdout=Sudo version 1.8.29
> Options de configuration : --build=x86_64-redhat-linux-gnu 
> --host=x86_64-redhat-linux-gnu --program-prefix= 
> --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr 
> --bindir=/usr/bin --sbindir=/usr
> /sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include 
> --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var 
> --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/
> share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 
> --docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog 
> --with-logfac=authpriv --with-pam --with-pam-login --with-editor=
> /bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap 
> --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux 
> --with-passprompt=[sudo] password for %p:  --with-linux-audit --with-ss
> sd
> La version du greffon de politique de sudoers est 1.8.29
> La version de la grammaire du fichier sudoers est 46
> 
> Chemin d'accès à sudoers : /etc/sudoers
> chemin d'accès à nsswitch : /etc/nsswitch.conf
> chemin d'accès à ldap.conf : /etc/sudo-ldap.conf
> chemin d'accès à ldap.secret : /etc/ldap.secret
> Méthodes d'authentification :  'pam'
> Mécanisme syslog si syslog est utilisé pour la journalisation des événements 
> : authpriv 
> Priorité syslog utilisée lorsque l'authentification de l'utilisateur est 
> réussie : notice
> Priorité Syslog utilisée lorsque l'authentification de l'utilisateur a échoué 
> : alert
> Ne pas tenir compte de « . » dans $PATH
> Envoi d'un courriel si l'utilisateur ne figure pas dans sudoers
> Adresse les recommandations d'usage à l'utilisateur lors de la première 
> exécution de sudo
> Exige l'authentification de l'utilisateur par défaut
> L'utilisateur root peut exécuter sudo
> Assignation systématique du répertoire personnel de l'utilisateur cible dans 
> $HOME
> Autorise la collecte de certaines informations

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

2021-12-02 Thread Phinees Garandi via FreeIPA-users

For your question :  Is there a reason you are forcing domain, realm and server?

I have to provides server and realm  as discovery never readlly worked.

Indeed DNS seems to be ok regarding below commands

[root@test ~]# host -t SRV  _kerberos._udp.toto.fr
_kerberos._udp.toto.fr has SRV record 0 100 88 ipa.toto.fr.
[root@test ~]# host -t SRV  _kerberos._tcp.toto.fr
_kerberos._tcp.toto.fr has SRV record 0 100 88 ipa.toto.fr.
[root@test ~]# host -t SRV  _ldap._tcp.toto.fr
_ldap._tcp.toto.fr has SRV record 0 100 389 ipa.toto.fr.`

but freeipa-client-install fail in dicovery mode
`
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

2021-12-02 Thread Phinees Garandi via FreeIPA-users

Hello Rob,

I also tested using the --force flag the output is the same

this is the content of /var/log/ipaclient-install

`2021-12-02T15:31:13Z DEBUG Logging to /var/log/ipaclient-install.log
2021-12-02T15:31:13Z DEBUG ipa-client-install was invoked with arguments [] and 
options: {'unattended': False, 'principal': 'admin', 'prompt_password': False, 
'on_master': False, 'ca_cert_files': None, '
force': True, 'configure_firefox': True, 'firefox_dir': None, 'keytab': None, 
'mkhomedir': True, 'force_join': False, 'ntp_servers': ['ipa.toto.fr'], 
'ntp_pool': None, 'no_ntp': False, 'force
_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': True, 
'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'no_dns_sshfp': False, 
'kinit_attempts': None, 'request_cert': False, 
'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 
'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': 
False, 'preserve_sssd': False, 'automount_location': No
ne, 'domain_name': 'toto.fr', 'servers': ['ipa.toto.fr'], 'realm_name': 
'toto.FR', 'host_name': 'slurm-nfs.toto.fr', 'verbose': False, 'quiet': False, 
'log
_file': None, 'uninstall': False}
2021-12-02T15:31:13Z DEBUG IPA version 4.9.6-6.module+el8.5.0+674+69615a50
2021-12-02T15:31:13Z DEBUG IPA platform rhel
2021-12-02T15:31:13Z DEBUG IPA os-release Rocky Linux 8.4 (Green Obsidian)
2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-12-02T15:31:13Z DEBUG Process finished, return code=0
2021-12-02T15:31:13Z DEBUG stdout=
2021-12-02T15:31:13Z DEBUG stderr=
2021-12-02T15:31:13Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2021-12-02T15:31:13Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:13Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-enabled', 'ntpd.service']
2021-12-02T15:31:13Z DEBUG Process finished, return code=1
2021-12-02T15:31:13Z DEBUG stdout=
2021-12-02T15:31:13Z DEBUG stderr=Failed to get unit file state for 
ntpd.service: No such file or directory

2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['/bin/systemctl', 'is-active', 'ntpd.service']
2021-12-02T15:31:13Z DEBUG Process finished, return code=3
2021-12-02T15:31:13Z DEBUG stdout=inactive

2021-12-02T15:31:13Z DEBUG stderr=
2021-12-02T15:31:13Z DEBUG Starting external process
2021-12-02T15:31:13Z DEBUG args=['sudo', '-V']
2021-12-02T15:31:13Z DEBUG Process finished, return code=0
2021-12-02T15:31:13Z DEBUG stdout=Sudo version 1.8.29
Options de configuration : --build=x86_64-redhat-linux-gnu 
--host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking 
--prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr
/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include 
--libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var 
--sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/
share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 
--docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog 
--with-logfac=authpriv --with-pam --with-pam-login --with-editor=
/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap 
--with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux 
--with-passprompt=[sudo] password for %p:  --with-linux-audit --with-ss
sd
La version du greffon de politique de sudoers est 1.8.29
La version de la grammaire du fichier sudoers est 46

Chemin d'accès à sudoers : /etc/sudoers
chemin d'accès à nsswitch : /etc/nsswitch.conf
chemin d'accès à ldap.conf : /etc/sudo-ldap.conf
chemin d'accès à ldap.secret : /etc/ldap.secret
Méthodes d'authentification :  'pam'
Mécanisme syslog si syslog est utilisé pour la journalisation des événements : 
authpriv 
Priorité syslog utilisée lorsque l'authentification de l'utilisateur est 
réussie : notice
Priorité Syslog utilisée lorsque l'authentification de l'utilisateur a échoué : 
alert
Ne pas tenir compte de « . » dans $PATH
Envoi d'un courriel si l'utilisateur ne figure pas dans sudoers
Adresse les recommandations d'usage à l'utilisateur lors de la première 
exécution de sudo
Exige l'authentification de l'utilisateur par défaut
L'utilisateur root peut exécuter sudo
Assignation systématique du répertoire personnel de l'utilisateur cible dans 
$HOME
Autorise la collecte de certaines informations dans le but d'afficher des 
messages d'erreurs pertinents
Visudo se conformera au contenu de la variable d'environnement EDITOR
Définir les variables d'environnement LOGNAME et USER
Longueur après laquelle intercaler un retour à la ligne dans le fichier journal 
(0 indique qu'il n'y a pas de retour à la ligne) : 80
Délai d'expiration de l'horodatage de l'authentification : 5,0 minutes

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

2021-12-02 Thread Phinees Garandi via FreeIPA-users

Important detail I installed cockpit "https://cockpit-project.org/; and it was 
after that I had the bug.
I don't know if the cockpit installation had an impact
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

2021-12-02 Thread Rob Crittenden via FreeIPA-users

Phinees Garandi via FreeIPA-users wrote:
> Hello everyone
> 
> I encountered a bug while installing freeipa client.
> 
> the command fail and I have this as an error message :  
> 
> `Please make sure the following ports are opened in the firewall settings:
>  TCP: 80, 88, 389
>  UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working properly 
> after enrollment:
>  TCP: 464
>  UDP: 464, 123 (if NTP enabled)
> Failed to obtain host TGT: Major (851968): Unspecified GSS failure.  Minor 
> code may provide more information, Minor (2529639107): No credentials cache 
> found
> Installation failed. Force set so not rolling back changes.`
> 
> 
> This is my command : 
> 
> ipa-client-install  \
> --mkhomedir \
> --ntp-server=my-ntp-server \
> --server=my-ipa-server \
> --domain=my-domain \
> --realm=MYREALM \
> --principal my-user \
> --ssh-trust-dns \
> --hostname=my-hostname
> 
> thank you so much for your help.

We'd need to see the full /var/log/ipaclient-install to know what is
going on. Or you can look at it.

The installer creates a temporary krb5.conf to be used to verify the
remote server and do the initial setup. You may want to manually create
a similar config file and see if you can get a ticket.

Is there a reason you are forcing domain, realm and server?

You must have also used the --force flag to get the message "Force set
so not rolling back changes."

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-04-09 Thread Rob Crittenden via FreeIPA-users

lejeczek via FreeIPA-users wrote:
> 
> 
> On 06/01/18 19:51, lejeczek via FreeIPA-users wrote:
>> Failed to obtain host TGT: Major (851968): Unspecified GSS failure.
>> Minor code may provide more information, Minor (2529638936):
>> Preauthentication failed 
> 
> hi guys,
> I hit that error again. What I noticed is
> - on that candidate client when I changed resolver to look only at
> 127.0.0.1(which was not running) and used --server & --domain (thus
> essentially no dns) then client installation succeeded.
> Would that be just a coincidence and DNS plays no role at this stage?

What I would recommend doing is leave DNS enabled and wait for a failed
enrollment and see what master it is enrolling against. That should help
narrow things down, especially if the failing master does not match the
one you can force success with.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-04-07 Thread lejeczek via FreeIPA-users




On 06/01/18 19:51, lejeczek via FreeIPA-users wrote:
Failed to obtain host TGT: Major (851968): Unspecified GSS 
failure. Minor code may provide more information, Minor 
(2529638936): Preauthentication failed 


hi guys,
I hit that error again. What I noticed is
- on that candidate client when I changed resolver to look 
only at 127.0.0.1(which was not running) and used --server & 
--domain (thus essentially no dns) then client installation 
succeeded.
Would that be just a coincidence and DNS plays no role at 
this stage?


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-01-10 Thread Robbie Harwood via FreeIPA-users

lejeczek via FreeIPA-users 
writes:

> On 08/01/18 08:46, Florence Blanc-Renaud wrote:
>> On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote:
>>>
>>> $ ipa-client-install --no-ntp --force-join
>>> Discovery was successful!
>>> ...
>>> Also note that following ports are necessary for 
>>> ipa-client working properly after enrollment:
>>>   TCP: 464
>>>   UDP: 464, 123 (if NTP enabled)
>>> Failed to obtain host TGT: Major (851968): Unspecified 
>>> GSS failure. Minor code may provide more information, 
>>> Minor (2529638936): Preauthentication failed
>>> Installation failed. Rolling back changes.
>>> -- end
>>>
>>> At server's end(one single server in domain):
>>> ..
>>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560685](info): closing down fd 11
>>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 
>>> 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: 
>>> host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
>>> for 
>>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
>>> Additional pre-authentication required
>>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): closing down fd 11
>>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): preauth (encrypted_timestamp) 
>>> verify failure: Preauthentication failed
>>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 
>>> 23 25 26}) 10.5.6.17: PREAUTH_FAILED: 
>>> host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
>>> for 
>>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
>>> Preauthentication failed
>>> Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): closing down fd 11
>>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 
>>> 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: 
>>> ad...@private.xx.xx.private.xx.xx.x for 
>>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
>>> Additional pre-authentication required
>>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560681](info): closing down fd 11
>>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 
>>> 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes 
>>> {rep=18 tkt=18 ses=18}, 
>>> ad...@private.xx.xx.private.xx.xx.x for 
>>> krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x 
>>>
>>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): closing down fd 11
>>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 
>>> 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes 
>>> {rep=18 tkt=18 ses=18}, 
>>> ad...@private.xx.xx.private.xx.xx.x for 
>>> ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
>>>
>>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): closing down fd 11
>>> Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
>>> krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 
>>> 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes 
>>> {rep=18 tkt=18 ses=18}, 
>>> ad...@private.xx.xx.private.xx.xx.x for 
>>> HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
>>>
>>> -- end
>>>
>>> But after many tries(randomly) suddenly it would succeed. 
>>> Client said to use  --force-join.
>>> VERSION: 4.5.0, API_VERSION: 2.228
>>
>> what is the content of /etc/krb5.conf on your client? Does 
>> it contain "includedir /etc/krb5.conf.d/" and if it is the 
>> case, what is the content of the included files?
>>
>> During the client installation, a temp krb5.conf is 
>> created and also contains "includedir /etc/krb5.conf.d/". 
>> If there are snippets in this directory which define 
>> parameters for the IPA realm, then the parameters might be 
>> conflicting with the ones needed by the installer.
>
> I try to make sure that I do clean re-install, thus I do first:
>
> $ yum remove -y `rpm -qa ipa* 389*` pki-base krb5-pkinit 
> krb5-server krb5-workstation ipa-python certmonger
>
> then I install IPA, at this point there is already a 
> /etc/krb5.conf.d/ipa-certauth created, before any -install 
> is run, but there is no "include" in /etc/krb5.conf.

Oh, this is RHEL-7.4?  The missing `includedir` is
https://bugzilla.redhat.com/show_bug.cgi?id=1431198 then.  You can try
adding to the top of /etc/krb5.conf:

includedir /etc/krb5.conf.d

and see if it succeeds, but I don't think it'll make a difference.

> In /etc/krb5.conf.d/ipa-certauth
>
> [plugins]
>   certauth = {
>    module = ipakdb:kdb/ipadb.so
>    enable_only = ipakdb
>   }
>
> So, should I remove that /etc/krb5.conf.d/ipa-certauth 
> before client installation?
> I did, even then client installation fails the same way.
> Like I said(maybe most importantly),

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-01-10 Thread lejeczek via FreeIPA-users




On 08/01/18 22:46, Robbie Harwood wrote:

lejeczek via FreeIPA-users 
writes:


$ ipa-client-install --no-ntp --force-join

krb5kdc[1560686](info): preauth (encrypted_timestamp) verify
failure: Preauthentication failed

But after many tries(randomly) suddenly it would succeed.

Do the clocks match on the client and server?

Thanks,
--Robbie


Clocks are synced yet server' kerberos keeps logging this 
when client installation fails:


...
 preauth (encrypted_timestamp) verify failure: 
Preauthentication failed

...

Would be problem with, in kerberos?

16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606061](info): closing down fd 11
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606061](info): preauth (encrypted_timestamp) verify 
failure: Preauthentication failed
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606061](info): AS_REQ (8 etypes {18 17 20 19 16 23 
25 26}) 10.5.6.17: PREAUTH_FAILED: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Preauthentication failed
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606061](info): closing down fd 11
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606061](info): AS_REQ (8 etypes {18 17 20 19 16 23 
25 26}) 10.5.6.17: NEEDED_PREAUTH: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606061](info): closing down fd 11
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606060](info): preauth (encrypted_timestamp) verify 
failure: Preauthentication failed
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606060](info): AS_REQ (8 etypes {18 17 20 19 16 23 
25 26}) 10.5.6.17: PREAUTH_FAILED: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Preauthentication failed
Jan 10 15:11:50 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[606060](info): closing down fd 11

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-01-09 Thread lejeczek via FreeIPA-users




On 08/01/18 22:46, Robbie Harwood wrote:

lejeczek via FreeIPA-users 
writes:


$ ipa-client-install --no-ntp --force-join

krb5kdc[1560686](info): preauth (encrypted_timestamp) verify
failure: Preauthentication failed

But after many tries(randomly) suddenly it would succeed.

Do the clocks match on the client and server?

Thanks,
--Robbie


First thing I checked was the clock - yes.
Client log attached in hope it would reveal more.
And one more time, server's end, /var/log/krb5kdc.log:

Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22663](info): closing down fd 11
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22665](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes {rep=18 
tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22665](info): closing down fd 11
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22661](info): TGS_REQ (8 etypes {18 17 20 19 16 23 
25 26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes 
{rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x 
for 
ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22661](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22665](info): TGS_REQ (8 etypes {18 17 20 19 16 23 
25 26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes 
{rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x 
for 
HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22665](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22661](info): TGS_REQ (1 etypes {18}) 10.5.6.17: 
ISSUE: authtime 1515524307, etypes {rep=18 tkt=18 ses=18}, 
ad...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22661](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22668](info): TGS_REQ (8 etypes {18 17 20 19 16 23 
25 26}) 10.5.6.32: ISSUE: authtime 1515524307, etypes 
{rep=18 tkt=18 ses=18}, ad...@private.xx.xx.private.xx.xx.x 
for 
ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22668](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22668](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
26}) 10.5.6.17: NEEDED_PREAUTH: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22668](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22665](info): preauth (encrypted_timestamp) verify 
failure: Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22665](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
26}) 10.5.6.17: PREAUTH_FAILED: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22665](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22662](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
26}) 10.5.6.17: NEEDED_PREAUTH: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22662](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22661](info): preauth (encrypted_timestamp) verify 
failure: Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22661](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
26}) 10.5.6.17: PREAUTH_FAILED: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[22661](info): closing down fd 11


2018-01-09T18:58:18Z DEBUG Logging to /var/log/ipaclient-install.log
2018-01-09T18:58:18Z DEBUG ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': False, 'ip_addresses': None, 'configure_firefox': False, 'realm_name': None, 'force_ntpd': False, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': False, 'principal': 'admin', 'keytab': None, 'no_ntp': False, 'domain_name': None, 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 'kinit_attempts': None, 'ntp_servers':

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-01-08 Thread Robbie Harwood via FreeIPA-users

lejeczek via FreeIPA-users 
writes:

> $ ipa-client-install --no-ntp --force-join
>
> krb5kdc[1560686](info): preauth (encrypted_timestamp) verify 
> failure: Preauthentication failed
>
> But after many tries(randomly) suddenly it would succeed. 

Do the clocks match on the client and server?

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-01-08 Thread lejeczek via FreeIPA-users




On 08/01/18 08:46, Florence Blanc-Renaud wrote:

On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote:


hi everyone

I'm trying a client, when I do:

$ ipa-client-install --no-ntp --force-join
Discovery was successful!
...
Also note that following ports are necessary for 
ipa-client working properly after enrollment:

  TCP: 464
  UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified 
GSS failure. Minor code may provide more information, 
Minor (2529638936): Preauthentication failed

Installation failed. Rolling back changes.
-- end

At server's end(one single server in domain):
..
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560685](info): closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 
23 25 26}) 10.5.6.17: NEEDED_PREAUTH: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): preauth (encrypted_timestamp) 
verify failure: Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 
23 25 26}) 10.5.6.17: PREAUTH_FAILED: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 
for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 
23 25 26}) 10.5.6.17: NEEDED_PREAUTH: 
ad...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560681](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 
23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes 
{rep=18 tkt=18 ses=18}, 
ad...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x 

Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 
23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes 
{rep=18 tkt=18 ses=18}, 
ad...@private.xx.xx.private.xx.xx.x for 
ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 

Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x 
krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 
23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes 
{rep=18 tkt=18 ses=18}, 
ad...@private.xx.xx.private.xx.xx.x for 
HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x 


-- end

But after many tries(randomly) suddenly it would succeed. 
Client said to use  --force-join.

VERSION: 4.5.0, API_VERSION: 2.228

What can a problem?

regards, L.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org


Hi,

what is the content of /etc/krb5.conf on your client? Does 
it contain "includedir /etc/krb5.conf.d/" and if it is the 
case, what is the content of the included files?


During the client installation, a temp krb5.conf is 
created and also contains "includedir /etc/krb5.conf.d/". 
If there are snippets in this directory which define 
parameters for the IPA realm, then the parameters might be 
conflicting with the ones needed by the installer.


Flo


I try to make sure that I do clean re-install, thus I do first:

$ yum remove -y `rpm -qa ipa* 389*` pki-base krb5-pkinit 
krb5-server krb5-workstation ipa-python certmonger


then I install IPA, at this point there is already a 
/etc/krb5.conf.d/ipa-certauth created, before any -install 
is run, but there is no "include" in /etc/krb5.conf.

In /etc/krb5.conf.d/ipa-certauth

[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }

So, should I remove that /etc/krb5.conf.d/ipa-certauth 
before client installation?

I did, even then client installation fails the same way.
Like I said(maybe most importantly), it would 
suddenly(randomly?) succeed after a number of tries - why?


Probably one thing I should mention: I have a IPA 
domain/realm already on the network. I've set up another 
separate server(master fist) for the same domain and now I'm 
trying to install a client to that new "stand-alone" server.
(details on reason of doing something this weird I'd not go 
into just yet)
As I understand it, because

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

2018-01-08 Thread Florence Blanc-Renaud via FreeIPA-users


On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote:


hi everyone

I'm trying a client, when I do:

$ ipa-client-install --no-ntp --force-join
Discovery was successful!
...
Also note that following ports are necessary for ipa-client working 
properly after enrollment:

  TCP: 464
  UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified GSS failure. 
Minor code may provide more information, Minor (2529638936): 
Preauthentication failed

Installation failed. Rolling back changes.
-- end

At server's end(one single server in domain):
..
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560685](info): 
closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
preauth (encrypted_timestamp) verify failure: Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: 
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): 
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: 
ad...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x, 
Additional pre-authentication required
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): 
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 
1515250943, etypes {rep=18 tkt=18 ses=18}, 
ad...@private.xx.xx.private.xx.xx.x for 
krbtgt/private.xx.xx.private.xx.x...@private.xx.xx.private.xx.xx.x
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 
1515250943, etypes {rep=18 tkt=18 ses=18}, 
ad...@private.xx.xx.private.xx.xx.x for 
ldap/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): 
TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 
1515250943, etypes {rep=18 tkt=18 ses=18}, 
ad...@private.xx.xx.private.xx.xx.x for 
HTTP/swir.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x

-- end

But after many tries(randomly) suddenly it would succeed. Client said to 
use  --force-join.

VERSION: 4.5.0, API_VERSION: 2.228

What can a problem?

regards, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

what is the content of /etc/krb5.conf on your client? Does it contain 
"includedir /etc/krb5.conf.d/" and if it is the case, what is the 
content of the included files?


During the client installation, a temp krb5.conf is created and also 
contains "includedir /etc/krb5.conf.d/". If there are snippets in this 
directory which define parameters for the IPA realm, then the parameters 
might be conflicting with the ones needed by the installer.


Flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install error: Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

15 matches

Site Navigation

Mail list logo

Footer information