[Freeipa-users] Kerberos Authentication (again)

Dmitri Pal dpal at redhat.com
Thu Dec 11 03:37:25 UTC 2008 

Fraginhell wrote:
> Hi,
>
> Sorry to bring the subject up again, but I can't see for looking where
> I might have gone wrong. I have setup a lab with Fedora 9. I have an
> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
> Dns and reverse is working correctly.
> IPA server installed without problems and so did the client. On the
> server I can kinit admin and then ipa-finduser admin and  ldapsearch
> -Y GSSAPI -h ipaserver.labs.example.com.au -b
> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
> My client is configured using the krb5.conf from the docs
>
> [libdefaults]
>  default_realm = LABS.EXAMPLE.COM.AU
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  #forwardable = yes
>  ticket_lifetime = 24h
>
> [realms]
>  LABS.EXAMPLE.COM.AU = {
>   kdc = ipaserver.labs.example.com.au:88
>   admin_server = ipaserver.labs.example.com.au:749
>   default_domain = labs.example.com.au
>  }
> [domain_realm]
>  .labs.example.com.au = LABS.EXAMPLE.COM.AU
>  labs.example.com.au = LABS.EXAMPLE.COM.AU
>
> on the client I can kinit admin
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> Default principal: admin at LABS.EXAMPLE.COM.AU
>
> Valid starting     Expires            Service principal
> 12/11/08 14:03:18  12/12/08 14:03:16
> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> on the ipaserver I can see the authentication complete
>  Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
> admin at LABS.EXAMPLE.COM.AU for
> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
> pre-authentication required
>
> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>
> now when I add the host service
> ipa-addservice host/ipaclient.labs.example.com.au
> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
> provide more information/Server not found in Kerberos database
> On the server I see
>
> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
> found in Kerberos database
>
>   
Did you do ipa-getkeytab on the client where the service is going to run?
See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to 
retrieve keytab before using service.
The operation will initialize kerberos attributes inside the service 
entry. Without it the service is just an empty container not yet known 
to KDC.

Thanks
Dmitri
> According to troubleshooting, this is a dns problem:
> on the server
> nslookup ipaclient
>
> Server:		127.0.0.1
> Address:	127.0.0.1#53
> Name:	ipaclient.labs.example.com.au
> Address: 10.212.50.31
>
>  nslookup 10.212.50.31
> Server:		127.0.0.1
> Address:	127.0.0.1#53
> 31.50.212.10.in-addr.arpa	name = ipaclient.labs.example.com.au.
>
> The other mention in the troubleshooting guide is :
> You may have multiple entries for the same host created by different KDCs.
> Not sure what this means? or where to go from here.
>
> Thanks
>
> Keith.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list