[Freeipa-users] Kerberos Authentication (again)

Fraginhell fraginhell at gmail.com
Thu Dec 11 04:05:32 UTC 2008 

Dmitri,

wow thanks for such a quick reply,

 ipa-getkeytab -s ipaserver.labs.example.com.au -p
host/ipaclient.labs.example.com.au -k /etc/krb5.keytab
SASL Bind failed!

on the server I see
# Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
found in Kerberos database

Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
authtime 1228964598,  admin at LABS.INFOPLEX.COM.AU for
ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
found in Kerberos database

The guide says to add the host principle first on the server if I do a
ipa-findservice I can see lots entry for the server but non for the
client.

Keith.





2008/12/11 Dmitri Pal <dpal at redhat.com>:
> Fraginhell wrote:
>>
>> Hi,
>>
>> Sorry to bring the subject up again, but I can't see for looking where
>> I might have gone wrong. I have setup a lab with Fedora 9. I have an
>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
>> Dns and reverse is working correctly.
>> IPA server installed without problems and so did the client. On the
>> server I can kinit admin and then ipa-finduser admin and  ldapsearch
>> -Y GSSAPI -h ipaserver.labs.example.com.au -b
>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
>> My client is configured using the krb5.conf from the docs
>>
>> [libdefaults]
>>  default_realm = LABS.EXAMPLE.COM.AU
>>  dns_lookup_realm = true
>>  dns_lookup_kdc = true
>>  #forwardable = yes
>>  ticket_lifetime = 24h
>>
>> [realms]
>>  LABS.EXAMPLE.COM.AU = {
>>  kdc = ipaserver.labs.example.com.au:88
>>  admin_server = ipaserver.labs.example.com.au:749
>>  default_domain = labs.example.com.au
>>  }
>> [domain_realm]
>>  .labs.example.com.au = LABS.EXAMPLE.COM.AU
>>  labs.example.com.au = LABS.EXAMPLE.COM.AU
>>
>> on the client I can kinit admin
>>
>> Ticket cache: FILE:/tmp/krb5cc_0
>>
>> Default principal: admin at LABS.EXAMPLE.COM.AU
>>
>> Valid starting     Expires            Service principal
>> 12/11/08 14:03:18  12/12/08 14:03:16
>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>>
>> on the ipaserver I can see the authentication complete
>>  Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
>> admin at LABS.EXAMPLE.COM.AU for
>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
>> pre-authentication required
>>
>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>
>> now when I add the host service
>> ipa-addservice host/ipaclient.labs.example.com.au
>> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
>> provide more information/Server not found in Kerberos database
>> On the server I see
>>
>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>> found in Kerberos database
>>
>>
>
> Did you do ipa-getkeytab on the client where the service is going to run?
> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to
> retrieve keytab before using service.
> The operation will initialize kerberos attributes inside the service entry.
> Without it the service is just an empty container not yet known to KDC.
>
> Thanks
> Dmitri
>>
>> According to troubleshooting, this is a dns problem:
>> on the server
>> nslookup ipaclient
>>
>> Server:         127.0.0.1
>> Address:        127.0.0.1#53
>> Name:   ipaclient.labs.example.com.au
>> Address: 10.212.50.31
>>
>>  nslookup 10.212.50.31
>> Server:         127.0.0.1
>> Address:        127.0.0.1#53
>> 31.50.212.10.in-addr.arpa       name = ipaclient.labs.example.com.au.
>>
>> The other mention in the troubleshooting guide is :
>> You may have multiple entries for the same host created by different KDCs.
>> Not sure what this means? or where to go from here.
>>
>> Thanks
>>
>> Keith.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>

More information about the Freeipa-users mailing list