Re: [Freeipa-users] Red Hat 5 client enrolment fails to Red Hat 6 Server
Patrick de Ruiter wrote:
When I want to enroll en new machine the ipa-client-install process
bails out with the error Failed to retrieve encryption type DES cbc
mode with CRC-32 (#1) .
The output below is the debug output:
[root@apa01-tst ~]# ipa-client-install -d --domain=example.com
http://example.com --mkhomedir -w otpass --realm=EXAMPLE.COM
http://EXAMPLE.COM --ntp-server=ns01.example.com
http://ns01.example.com --unattended
root: DEBUG/usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'example.com
http://example.com', 'uninstall': False, 'force': False, 'sssd': True,
'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'mkhomedir': True,
'dns_updates': False, 'preserve_sssd': False, 'debug': True,
'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM
http://EXAMPLE.COM', 'unattended': True, 'ntp_server':
'ns01.example.com http://ns01.example.com', 'principal': None}
root: DEBUGmissing options might be asked for interactively
later
root: DEBUGLoading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root: DEBUGLoading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root: DEBUG[IPA Discovery]
root: DEBUGStarting IPA discovery with domain=example.com
http://example.com, servers=None,
hostname=apa01-tst.chn1.oob.example.com
http://apa01-tst.chn1.oob.example.com
root: DEBUGSearch for LDAP SRV record in example.com
http://example.com
root: DEBUG[ipadnssearchldap]
root: DEBUG[ipadnssearchkrb]
root: DEBUG[ipacheckldap]
root: DEBUGVerifying that auth01.example.com
http://auth01.example.com (realm EXAMPLE.COM http://EXAMPLE.COM) is
an IPA server
root: DEBUGInit ldap with: ldap://auth01.example.com:389
http://auth01.example.com:389
root: DEBUGSearch LDAP server for IPA base DN
root: DEBUGCheck if naming context 'dc=pp,dc=ams' is for IPA
root: DEBUGNaming context 'dc=pp,dc=ams' is a valid IPA context
root: DEBUGSearch for (objectClass=krbRealmContainer) in
dc=pp,dc=ams(sub)
root: DEBUGFound: [('cn=EXAMPLE.COM
http://EXAMPLE.COM,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees':
['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM http://EXAMPLE.COM'],
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass':
['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope':
['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife':
['86400'], 'krbMaxRenewableAge': ['604800']})]
root: DEBUGDiscovery result: Success;
server=auth01.example.com http://auth01.example.com,
domain=example.com http://example.com, kdc=auth01.example.com
http://auth01.example.com, basedn=dc=pp,dc=ams
root: DEBUGValidated servers: auth01.example.com
http://auth01.example.com
root: DEBUGwill use domain: example.com http://example.com
root: DEBUG[ipadnssearchldap(example.com http://example.com)]
root: DEBUGDNS validated, enabling discovery
root: DEBUGwill use discovered server: auth01.example.com
http://auth01.example.com
Discovery was successful!
root: DEBUGwill use cli_realm: EXAMPLE.COM http://EXAMPLE.COM
root: DEBUGwill use cli_basedn: dc=pp,dc=ams
Hostname: apa01-tst.chn1.oob.example.com
http://apa01-tst.chn1.oob.example.com
Realm: EXAMPLE.COM http://EXAMPLE.COM
DNS Domain: example.com http://example.com
IPA Server: auth01.example.com http://auth01.example.com
BaseDN: dc=pp,dc=ams
Synchronizing time with KDC...
root: DEBUGargs=/usr/sbin/ntpdate -U ntp -s -b
auth01.example.com http://auth01.example.com
root: DEBUGstdout=
root: DEBUGstderr=
root: DEBUGWriting Kerberos configuration to /tmp/tmpM19nuR:
#File modified by ipa-client-install
[libdefaults]
default_realm = EXAMPLE.COM http://EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM http://EXAMPLE.COM = {
kdc = auth01.example.com:88 http://auth01.example.com:88
master_kdc = auth01.example.com:88 http://auth01.example.com:88
admin_server = auth01.example.com:749 http://auth01.example.com:749
default_domain = example.com http://example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com http://example.com = EXAMPLE.COM http://EXAMPLE.COM
example.com http://example.com = EXAMPLE.COM http://EXAMPLE.COM
root: INFO OTP case, CA cert preexisted, use it
root: DEBUGargs=/usr/sbin/ipa-join -s
Re: [Freeipa-users] Red Hat 5 client enrolment fails to Red Hat 6 Server
Hi Rob
Ipa client version is :ipa-client-2.1.3-7.el5
[root@apa01-tst ~]# klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
-
2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp@pp.ams (AES-256 CTS
mode with 96-bit SHA-1 HMAC)
2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp@pp.ams (AES-128 CTS
mode with 96-bit SHA-1 HMAC)
2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp@pp.ams (Triple DES
cbc mode with HMAC/sha1)
2 03/11/14 15:55:02 host/apa01-tst.chn1.oob.pp@pp.ams (ArcFour with
HMAC/md5)
this is what shows up in the logfile krb5kdc.log on the KDC
Mar 11 15:55:02 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/
apa01-tst.chn1.oob.example@example.com for krbtgt/
example@example.com, Additional pre-authentication required
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549702, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
krbtgt/example@example.com
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549702, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
HTTP/auth01.example@example.com
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes
{18}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18
ses=18}, host/apa01-tst.chn1.oob.example@example.com for krbtgt/
example@example.com
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes
{18}) 10.63.130.33: ISSUE: authtime 1394549702, etypes {rep=18 tkt=18
ses=18}, host/apa01-tst.chn1.oob.example@example.com for krbtgt/
example@example.com
Mar 11 15:55:02 auth01.example.com krb5kdc[16847](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.132.21: ISSUE: authtime 1394549702, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
ldap/auth01.example@example.com
Mar 11 15:55:03 auth01.example.com krb5kdc[16847](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/
apa01-tst.chn1.oob.example@example.com for krbtgt/
example@example.com, Additional pre-authentication required
Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549703, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
krbtgt/example@example.com
Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549703, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
HTTP/auth01.example@example.com
Mar 11 15:55:03 auth01.example.com krb5kdc[16847](info): TGS_REQ (1 etypes
{18}) 10.63.130.33: ISSUE: authtime 1394549703, etypes {rep=18 tkt=18
ses=18}, host/apa01-tst.chn1.oob.example@example.com for krbtgt/
example@example.com
Mar 11 15:55:03 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.132.21: ISSUE: authtime 1394549703, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
ldap/auth01.example@example.com
Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: NEEDED_PREAUTH: host/
apa01-tst.chn1.oob.example@example.com for krbtgt/
example@example.com, Additional pre-authentication required
Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549704, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
krbtgt/example@example.com
Mar 11 15:55:04 auth01.example.com krb5kdc[16846](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.63.130.33: ISSUE: authtime 1394549704, etypes
{rep=18 tkt=18 ses=18}, host/apa01-tst.chn1.oob.example@example.com for
ldap/auth01.example@example.com
Cheers,
Patrick
On Tue, Mar 11, 2014 at 2:00 PM, Rob Crittenden rcrit...@redhat.com wrote:
Patrick de Ruiter wrote:
When I want to enroll en new machine the ipa-client-install process
bails out with the error Failed to retrieve encryption type DES cbc
mode with CRC-32 (#1) .
The output below is the debug output:
[root@apa01-tst ~]# ipa-client-install -d --domain=example.com
http://example.com --mkhomedir -w otpass --realm=EXAMPLE.COM
http://EXAMPLE.COM --ntp-server=ns01.example.com
http://ns01.example.com --unattended
root: DEBUG/usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'example.com
http://example.com', 'uninstall': False, 'force': False, 'sssd': True,
'krb5_offline_passwords': True, 'hostname': None,
