[Freeipa-devel] kinit: Cannot contact any KDC for realm... from Freeipa clinet (Active Directory trust setup)

Petr Spacek pspacek at redhat.com
Mon Oct 10 06:56:59 UTC 2016 

On 10.10.2016 05:23, rajat gupta wrote:
> Hi,
> 
> I am trying to setup the freeipa  Active Directory trust setup and i am
> following
> the http://www.freeipa.org/page/Active_Directory_trust_setup documentation.
> 
> I am able to login on freeipa Server with AD users.
> 
> But when i am trying to login with some other IPA client machine I am not
> able to to login with AD user.
> 
> Required firewall port is opened between freeipa server to AD server and
> freeipa server to freeipa clinets
> 
> There is no firewall port is opened between from  freeipa client to AD
> server.
> 
> =================================================================
> against addomain from ipaserver :-
> 
> ipa01 ~]# KRB5_TRACE=/dev/stdout kinit rajat.g at AD.ADDOMAIN.COM
> [24633] 1476069033.462976: Resolving unique ccache of type KEYRING
> [24633] 1476069033.463027: Getting initial credentials for
> rajat.g at AD.ADDOMAIN.COM
> [24633] 1476069033.465229: Sending request (183 bytes) to AD.ADDOMAIN.COM
> [24633] 1476069033.471891: Resolving hostname ad1.ad.addomain.com
> [24633] 1476069033.474439: Sending initial UDP request to dgram
> 192.168.20.100:88
> [24633] 1476069033.487765: Received answer (212 bytes) from dgram
> 192.168.20.100:88
> [24633] 1476069033.488098: Response was not from master KDC
> [24633] 1476069033.488136: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [24633] 1476069033.488179: Processing preauth types: 16, 15, 19, 2
> [24633] 1476069033.488192: Selected etype info: etype aes256-cts, salt
> "AD.ADDOMAIN.COMRajat.Gupta", params ""
> [24633] 1476069033.488215: PKINIT client has no configured identity; giving
> up
> [24633] 1476069033.488233: PKINIT client has no configured identity; giving
> up
> [24633] 1476069033.488242: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [24633] 1476069033.488250: PKINIT client has no configured identity; giving
> up
> [24633] 1476069033.488255: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> Password for rajat.g at AD.ADDOMAIN.COM:
> 
> this is working fine.
> =================================================================
> 
> 
> =================================================================
> against addomain from ipaclinet :-
> 
> *ipaclinet ~] #  KRB5_TRACE=/dev/stdout kinit  rajat.g at AD.ADDOMAIN.COM
> <rajat.g at AD.ADDOMAIN.COM>[4133] 1476067599.43421: Getting initial
> credentials for rajat.g at AD.ADDOMAIN.COM <http://AD.ADDOMAIN.COM>[4133]
> 1476067599.43599: Sending request (183 bytes) to AD.ADDOMAIN.COM
> <http://AD.ADDOMAIN.COM>*
> *[4133] 1476067599.49544: Resolving hostname *
> *ad1.ad.addomain.com <http://ad1.ad.addomain.com>.*
> *[4133] 1476067599.53762: Sending initial UDP request to dgram
> 192.168.20.100*
> 
> NOT WORKING
> =================================================================
> 
> =================================================================
> against ipdomain from ipaclinet
> 
> # KRB5_TRACE=/dev/stdout kinit  admin at IPA.IPASERVER.LOCAL
> [4914] 1476068067.763574: Getting initial credentials for
> admin at IPA.IPASERVER.LOCAL
> [4914] 1476068067.763889: Sending request (177 bytes) to IPA.IPASERVER.LOCAL
> [4914] 1476068067.764033: Initiating TCP connection to stream
> 10.246.104.14:88
> [4914] 1476068067.765089: Sending TCP request to stream 192.168.100.100:88
> [4914] 1476068067.767593: Received answer (356 bytes) from stream
> 192.168.100.100:88
> [4914] 1476068067.767603: Terminating TCP connection to stream
> 192.168.100.100:88
> [4914] 1476068067.767661: Response was from master KDC
> [4914] 1476068067.767685: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [4914] 1476068067.767730: Processing preauth types: 136, 19, 2, 133
> [4914] 1476068067.767742: Selected etype info: etype aes256-cts, salt
> "k},(k&+qA)Mosf6z", params ""
> [4914] 1476068067.767747: Received cookie: MIT
> Password for admin at IPA.IPASERVER.LOCAL:
> 
> this is working fine.
> =================================================================
> 
> 
> it looks for password-based authentication requests, the IPA clients
> connect directly to the AD servers using Kerberos.
> 
> then there is port firewall opening required  between ipaclinet and AD
> Server as well. Is it required ? OR I am doing something wrong.

Yes, IPA clients need to talk to AD servers as well. Please see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#trust-req-ports


-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list