[Freeipa-devel] freeIPA + Fedora 9 + xen , can't get passed ipa-finduser admin
Jaakan Shorter
jaakanshorter at gmail.com
Mon May 19 15:43:56 UTC 2008
# ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"
objectclass=krbPrincipalAux dn
dn: krbprincipalname=K/M at TEST.NET,cn=TEST.NET,cn=kerberos,dc=test,dc=
net
dn: krbprincipalname=krbtgt/TEST.NET at TEST.NET,cn=TEST.NET,cn=kerberos
,dc=test,dc=net
dn: krbprincipalname=kadmin/admin at TEST.NET,cn=TEST.NET,cn=kerberos,dc=im
mport,dc=net
dn: krbprincipalname=kadmin/changepw at TEST.NET,cn=TEST.NET,cn=kerberos,dc
=test,dc=net
dn: krbprincipalname=kadmin/history at TEST.NET,cn=TEST.NET,cn=kerberos,dc=
test,dc=net
dn: krbprincipalname=kadmin/freeipa.test.net at TEST.NET,cn=TEST.NET,cn=
kerberos,dc=test,dc=net
dn: krbprincipalname=ldap/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke
rberos,dc=test,dc=net
dn: krbprincipalname=host/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke
rberos,dc=test,dc=net
dn: krbprincipalname=HTTP/freeIPA.test.net at TEST.NET,cn=TEST.NET,cn=ke
rberos,dc=test,dc=net
On Mon, May 19, 2008 at 11:39 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jaakan Shorter wrote:
>>
>> here's an update ( I replaced the domain name with test )
>> let me know if you need anymore info
>>
>> ipa-server-install --uninstall
>> rm -f /var/kerberos/krb5kdc/kpasswd.keytab
>> stopped the kerberos service ( --uninstall switch didn't stop it. I
>> thought it should set it back to old state )
>> yum update ( 1.0.6 version came out over the weekend for FC-9 )
>> rebooted
>> ipa-server-install --setup-bind -N
>
> Yes, this should be fixed in the tip.
>
> [ snip ]
>
>> May 19 09:31:08 freeIPA.test.net krb5kdc[1758](info): set up 4 sockets
>> May 19 09:31:08 freeIPA.test.net krb5kdc[1759](info): commencing operation
>> May 19 09:32:02 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes
>> {18 17 16 23 1 3 2}) 192.168.1.25: NEEDED_PREAUTH: admin at TEST.NET for
>> krbtgt/TEST.NET at TEST.NET, Additional pre-authentication required
>> May 19 09:32:24 freeIPA.test.net krb5kdc[1759](info): AS_REQ (7 etypes
>> {18 17 16 23 1 3 2}) 192.168.1.25: ISSUE: authtime 1211203944, etypes
>> {rep=18 tkt=18 ses=18}, admin at TEST.NET for krbtgt/TEST.NET at TEST.NET
>> May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime
>> 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server
>> not found in Kerberos database
>> May 19 09:32:54 freeIPA.test.net krb5kdc[1759](info): TGS_REQ (7
>> etypes {18 17 16 23 1 3 2}) 192.168.1.25: UNKNOWN_SERVER: authtime
>> 1211203944, admin at TEST.NET for HTTP/freeipa.test.net at TEST.NET, Server
>> not found in Kerberos database
>
> Service principals are created for the IPA servers at install time. There
> must be some (perhaps subtle) difference in what was created at install time
> and what it is trying to use.
>
> Try this command to see what service principals exist:
>
> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"
> objectclass=krbPrincipalAux dn
>
> rob
>
More information about the Freeipa-devel
mailing list