Re: [Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

2016-11-29 Thread Tomas Krizek 

On 11/29/2016 10:50 AM, Tomas Krizek wrote:

On 11/28/2016 05:38 PM, Robert Kudyba wrote:
There seems to be a problem either with Kerberos and/or using a self 
signed certificate vs. Let’s Encrypt. I tried to run the set up 
script from https://github.com/freeipa/freeipa-letsencrypt and below 
are some errors and logs.


Within the /etc/httpd/conf.d/ipa.conffile I commented out 
these directives as I had some Apache redirects that were breaking:


#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa 
application-group=ipa

#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's 
certificate issuer has been marked as not trusted by the user. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial 
credentials


journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' 
(No such file or directory)


ldapsearch -Y GSSAPI 
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available (default cache: KEYRING:persistent:0))


ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 
25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 
25 26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11




Hi,

you're hitting an issue with Let's Encrypt setup.

https://github.com/freeipa/freeipa-letsencrypt/issues/1

unfortunately, I'm not aware of any workaround or solution as of now.
--
Tomas Krizek


The issue should be fixed now. Please try to setup Let's Encrypt again. 
In case it does not work, you might need to reinstall IPA before setting 
up Let's Encrypt.


--
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

2016-11-29 Thread Tomas Krizek 

On 11/28/2016 05:38 PM, Robert Kudyba wrote:
There seems to be a problem either with Kerberos and/or using a self 
signed certificate vs. Let’s Encrypt. I tried to run the set up script 
from https://github.com/freeipa/freeipa-letsencrypt and below are some 
errors and logs.


Within the /etc/httpd/conf.d/ipa.conffile I commented out 
these directives as I had some Apache redirects that were breaking:


#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa 
application-group=ipa

#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's 
certificate issuer has been marked as not trusted by the user. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial credentials

journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No 
such file or directory)


ldapsearch -Y GSSAPI 
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available (default cache: KEYRING:persistent:0))


ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 
26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 
26}) ip: NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, 
Additional pre-authentication required

Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11




Hi,

you're hitting an issue with Let's Encrypt setup.

https://github.com/freeipa/freeipa-letsencrypt/issues/1

unfortunately, I'm not aware of any workaround or solution as of now.

--
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

2016-11-28 Thread Robert Kudyba 
There seems to be a problem either with Kerberos and/or using a self signed 
certificate vs. Let’s Encrypt. I tried to run the set up script from 
https://github.com/freeipa/freeipa-letsencrypt 
 and below are some errors and 
logs.  

Within the /etc/httpd/conf.d/ipa.conf file I commented out these directives as 
I had some Apache redirects that were breaking:

#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh 
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate 
issuer has been marked as not trusted by the user. (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial credentials

journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No such 
file or directory)

ldapsearch -Y GSSAPI 
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos credentials 
available (default cache: KEYRING:persistent:0))

ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: 
NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional 
pre-authentication required
Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: 
NEEDED_PREAUTH: admin@for krbtgt/ourdomain@ ourdomain, Additional 
pre-authentication required
Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project