[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-users] Kerberos Authentication (again)



Hi,

Sorry to bring the subject up again, but I can't see for looking where
I might have gone wrong. I have setup a lab with Fedora 9. I have an
ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
Dns and reverse is working correctly.
IPA server installed without problems and so did the client. On the
server I can kinit admin and then ipa-finduser admin and  ldapsearch
-Y GSSAPI -h ipaserver.labs.example.com.au -b
"dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
My client is configured using the krb5.conf from the docs

[libdefaults]
 default_realm = LABS.EXAMPLE.COM.AU
 dns_lookup_realm = true
 dns_lookup_kdc = true
 #forwardable = yes
 ticket_lifetime = 24h

[realms]
 LABS.EXAMPLE.COM.AU = {
  kdc = ipaserver.labs.example.com.au:88
  admin_server = ipaserver.labs.example.com.au:749
  default_domain = labs.example.com.au
 }
[domain_realm]
 .labs.example.com.au = LABS.EXAMPLE.COM.AU
 labs.example.com.au = LABS.EXAMPLE.COM.AU

on the client I can kinit admin

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: admin LABS EXAMPLE COM AU

Valid starting     Expires            Service principal
12/11/08 14:03:18  12/12/08 14:03:16
krbtgt/LABS EXAMPLE COM AU LABS EXAMPLE COM AU

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

on the ipaserver I can see the authentication complete
 Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
admin LABS EXAMPLE COM AU for
krbtgt/LABS EXAMPLE COM AU LABS EXAMPLE COM AU, Additional
pre-authentication required

Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
1228964598, etypes {rep=18 tkt=18 ses=18}, admin LABS EXAMPLE COM AU
for krbtgt/LABS EXAMPLE COM AU LABS EXAMPLE COM AU

now when I add the host service
ipa-addservice host/ipaclient.labs.example.com.au
Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
provide more information/Server not found in Kerberos database
On the server I see

Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
authtime 1228964598,  admin LABS EXAMPLE COM AU for
HTTP/ipasever labs example com au LABS EXAMPLE COM AU, Server not
found in Kerberos database

According to troubleshooting, this is a dns problem:
on the server
nslookup ipaclient

Server:		127.0.0.1
Address:	127.0.0.1#53
Name:	ipaclient.labs.example.com.au
Address: 10.212.50.31

 nslookup 10.212.50.31
Server:		127.0.0.1
Address:	127.0.0.1#53
31.50.212.10.in-addr.arpa	name = ipaclient.labs.example.com.au.

The other mention in the troubleshooting guide is :
You may have multiple entries for the same host created by different KDCs.
Not sure what this means? or where to go from here.

Thanks

Keith.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]