[Freeipa-users] Kerberos Authentication (again)

Fraginhell fraginhell at gmail.com
Thu Dec 11 05:10:38 UTC 2008 

Spot on, just doubled checked the nslookup on both client and server
and I get the same result.
Followed the client install, Configuring Kerberos, and then
Configuring Client SSH Access, as I dont need NFS or TLS in this lab.
I also checked the server times, which look correct too, since they
are both VM's they get the time from the host.
I did notice a slight difference between the /etc/krb5.conf file that
IPA client install creates and the one from the docs, I copied the one
from the docs, might try the original file from the install see if
that makes a difference.





2008/12/11 Dmitri Pal <dpal at redhat.com>:
> Fraginhell wrote:
>>
>> Yes I cannot create the service, It works on the IPA server, I can
>> create it there ( and delete it again) maybe thats the problem.
>> I'm sure its not on the IPA server anymore as
>>
>>
>
> So on the IPA server you run:
>
> ipa-addservice host/ipaclient.labs.example.com.au
>
> and it works.
>
> Then you delete it on the server, go to the client and try it there and it
> fails. Right?
> On the client you did the ipa-client-install and followed the instructions.
> And you did  "kinit admin" on client and it worked. I see the ticket below.
>
> Hm...
> Does the client nslookup also work and return same result as the one you
> have on the server?
>
> Dmitri
>>
>> ipa-findservice host/ipaclient.labs.example.com.au
>> No entries found for host/ipaclient.labs.example.com.au
>>
>> I just checked the clients /etc/krb5.keytab file and it does not exist.
>> What bothers me is on the server (/var/log/krb5kdc.log) the log says
>> UNKOWN_SERVER I'm not sure how much of the problem this is.
>>
>> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>> found in Kerberos database
>>
>>
>>
>> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>>
>>>
>>> Fraginhell wrote:
>>>
>>>>
>>>> Dmitri,
>>>>
>>>> wow thanks for such a quick reply,
>>>>
>>>>
>>>>
>>>
>>> Hm, I might have misread the error in your original post.
>>> I thought that you managed to create the service record. It looks like it
>>> failed first.
>>> Are you saying it fails to create the service itself?
>>>
>>> Then this is really on the edge of what I understand (learning product
>>> myself).
>>> Can it be that the host is already enrolled with some other kerberos
>>> server
>>> and has a keytab from it?
>>>
>>> Sorry if there will be more confusion then help.
>>> Dmitri
>>>
>>>
>>>
>>>>
>>>>  ipa-getkeytab -s ipaserver.labs.example.com.au -p
>>>> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab
>>>> SASL Bind failed!
>>>>
>>>> on the server I see
>>>> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>>> found in Kerberos database
>>>>
>>>> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>>> found in Kerberos database
>>>>
>>>> The guide says to add the host principle first on the server if I do a
>>>> ipa-findservice I can see lots entry for the server but non for the
>>>> client.
>>>>
>>>> Keith.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2008/12/11 Dmitri Pal <dpal at redhat.com>:
>>>>
>>>>
>>>>>
>>>>> Fraginhell wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Sorry to bring the subject up again, but I can't see for looking where
>>>>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an
>>>>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au.
>>>>>> Dns and reverse is working correctly.
>>>>>> IPA server installed without problems and so did the client. On the
>>>>>> server I can kinit admin and then ipa-finduser admin and  ldapsearch
>>>>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b
>>>>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem.
>>>>>> My client is configured using the krb5.conf from the docs
>>>>>>
>>>>>> [libdefaults]
>>>>>>  default_realm = LABS.EXAMPLE.COM.AU
>>>>>>  dns_lookup_realm = true
>>>>>>  dns_lookup_kdc = true
>>>>>>  #forwardable = yes
>>>>>>  ticket_lifetime = 24h
>>>>>>
>>>>>> [realms]
>>>>>>  LABS.EXAMPLE.COM.AU = {
>>>>>>  kdc = ipaserver.labs.example.com.au:88
>>>>>>  admin_server = ipaserver.labs.example.com.au:749
>>>>>>  default_domain = labs.example.com.au
>>>>>>  }
>>>>>> [domain_realm]
>>>>>>  .labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>>>  labs.example.com.au = LABS.EXAMPLE.COM.AU
>>>>>>
>>>>>> on the client I can kinit admin
>>>>>>
>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>>
>>>>>> Default principal: admin at LABS.EXAMPLE.COM.AU
>>>>>>
>>>>>> Valid starting     Expires            Service principal
>>>>>> 12/11/08 14:03:18  12/12/08 14:03:16
>>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>>>
>>>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>>>> klist: You have no tickets cached
>>>>>>
>>>>>> on the ipaserver I can see the authentication complete
>>>>>>  Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH:
>>>>>> admin at LABS.EXAMPLE.COM.AU for
>>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional
>>>>>> pre-authentication required
>>>>>>
>>>>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime
>>>>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU
>>>>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU
>>>>>>
>>>>>> now when I add the host service
>>>>>> ipa-addservice host/ipaclient.labs.example.com.au
>>>>>> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
>>>>>> provide more information/Server not found in Kerberos database
>>>>>> On the server I see
>>>>>>
>>>>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info):
>>>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER:
>>>>>> authtime 1228964598,  admin at LABS.EXAMPLE.COM.AU for
>>>>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not
>>>>>> found in Kerberos database
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Did you do ipa-getkeytab on the client where the service is going to
>>>>> run?
>>>>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to
>>>>> retrieve keytab before using service.
>>>>> The operation will initialize kerberos attributes inside the service
>>>>> entry.
>>>>> Without it the service is just an empty container not yet known to KDC.
>>>>>
>>>>> Thanks
>>>>> Dmitri
>>>>>
>>>>>
>>>>>>
>>>>>> According to troubleshooting, this is a dns problem:
>>>>>> on the server
>>>>>> nslookup ipaclient
>>>>>>
>>>>>> Server:         127.0.0.1
>>>>>> Address:        127.0.0.1#53
>>>>>> Name:   ipaclient.labs.example.com.au
>>>>>> Address: 10.212.50.31
>>>>>>
>>>>>>  nslookup 10.212.50.31
>>>>>> Server:         127.0.0.1
>>>>>> Address:        127.0.0.1#53
>>>>>> 31.50.212.10.in-addr.arpa       name = ipaclient.labs.example.com.au.
>>>>>>
>>>>>> The other mention in the troubleshooting guide is :
>>>>>> You may have multiple entries for the same host created by different
>>>>>> KDCs.
>>>>>> Not sure what this means? or where to go from here.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Keith.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>
>>>
>
>

More information about the Freeipa-users mailing list