[Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones Steven.Jones at vuw.ac.nz
Wed Mar 9 19:21:17 UTC 2011


Hi,

I had/have already done the uninstall...and re-install.

Also I registered a brand new 2nd client...that hasnt worked
either......

regards


On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > Hi,
> >
> > Log,
> >
> 
> The error is "Host is already joined" so no keytab is requested. The 
> enrollment failed.
> 
> ipa-client-install --uninstall should unenroll the client (you can 
> verify that Keytab is False in ipa host-show <client_fqdn> on the IPA 
> server.
> 
> If so running ipa-client-install on the client should configure things 
> properly.
> 
> rob
> 
> > ============
> > 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
> > with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
> > 'force': True, 'sssd': True, 'hostname': None, 'permit': False,
> > 'server': None, 'prompt_password': False, 'realm_name': None,
> > 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
> > None, 'mkhomedir': False, 'unattended': None, 'principal': None}
> > 2011-03-04 15:08:58,726 DEBUG missing options might be asked for
> > interactively later
> >
> > 2011-03-04 15:08:58,726 DEBUG Loading Index file from
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
> > 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
> > 2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
> > 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
> > -O /tmp/tmp7MhOze/ca.crt
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > 2011-03-04 15:08:58,736 DEBUG stdout=
> > 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
> > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 1321 (1.3K) [application/x-x509-ca-cert]
> > Saving to: `/tmp/tmp7MhOze/ca.crt'
> >
> >       0K .                                                     100%
> > 237M=0s
> >
> > 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
> > [1321/1321]
> >
> >
> > 2011-03-04 15:08:58,736 DEBUG Init ldap with:
> > ldap://fed14-64-ipam001.ipa.ac.nz:389
> > 2011-03-04 15:08:58,749 DEBUG Search rootdse
> > 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
> > dc=ipa,dc=ac,dc=nz(base)
> > 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
> > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
> > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
> > ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
> > 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
> > in dc=ipa,dc=ac,dc=nz(sub)
> > 2011-03-04 15:08:58,753 DEBUG Found:
> > [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
> > ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
> > ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
> > 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
> > 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
> > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
> > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
> > 'krbMaxRenewableAge': ['604800']})]
> > 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
> >
> > 2011-03-04 15:08:58,753 DEBUG will use server:
> > fed14-64-ipam001.ipa.ac.nz
> >
> > 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
> >
> > 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
> >
> > 2011-03-04 15:09:04,645 DEBUG will use principal: admin
> >
> > 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > 2011-03-04 15:09:04,659 DEBUG stdout=
> > 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
> > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 1321 (1.3K) [application/x-x509-ca-cert]
> > Saving to: `/etc/ipa/ca.crt'
> >
> >       0K .                                                     100%
> > 249M=0s
> >
> > 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
> >
> >
> > 2011-03-04 15:09:11,665 DEBUG args=kinit admin at IPA.AC.NZ
> > 2011-03-04 15:09:11,665 DEBUG stdout=Password for admin at IPA.AC.NZ:
> >
> > 2011-03-04 15:09:11,665 DEBUG stderr=
> > 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
> > fed14-64-ipam001.ipa.ac.nz
> > 2011-03-04 15:09:13,931 DEBUG stdout=
> > 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.
> >
> > 2011-03-04 15:09:13,937 DEBUG args=kdestroy
> > 2011-03-04 15:09:13,937 DEBUG stdout=
> > 2011-03-04 15:09:13,937 DEBUG stderr=
> > 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
> > '/etc/ipa/default.conf'
> > 2011-03-04 15:09:13,938 DEBUG   ->  Not backing up -
> > '/etc/ipa/default.conf' doesn't exist
> > 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
> > '/etc/sssd/sssd.conf'
> > 2011-03-04 15:09:13,938 DEBUG Saving Index File to
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
> > -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
> > 2011-03-04 15:09:14,012 DEBUG stdout=
> > 2011-03-04 15:09:14,012 DEBUG stderr=
> > 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file
> > '/etc/krb5.conf'
> > 2011-03-04 15:09:14,013 DEBUG Saving Index File to
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status
> > 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped
> >
> > 2011-03-04 15:09:14,104 DEBUG stderr=
> > 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart
> > 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED]
> > Starting certmonger: [  OK  ]
> >
> > 2011-03-04 15:09:14,280 DEBUG stderr=
> > 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list
> > 2011-03-04 15:09:14,295 DEBUG stdout=certmonger     	0:off	1:off	2:off
> > 3:off	4:off	5:off	6:off
> >
> > 2011-03-04 15:09:14,295 DEBUG stderr=
> > 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on
> > 2011-03-04 15:09:14,564 DEBUG stdout=
> > 2011-03-04 15:09:14,564 DEBUG stderr=
> > 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb
> > -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N
> > CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K
> > host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ
> > 2011-03-04 15:09:14,586 DEBUG stdout=Error
> > org.fedorahosted.certmonger.duplicate: Certificate at same location is
> > already used by request "20110303020539".
> >
> > 2011-03-04 15:09:14,586 DEBUG stderr=
> > 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
> > 2011-03-04 15:09:14,605 DEBUG stdout=
> > 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be
> > canonicalized when creating default server principal name
> >
> > 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate
> > -g /etc/ipa/.dns_update.txt
> > 2011-03-04 15:09:14,764 DEBUG stdout=
> > 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may
> > have expired.
> >
> > 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status
> > 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running...
> >
> > 2011-03-04 15:09:14,827 DEBUG stderr=
> > 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop
> > 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [  OK  ]
> >
> > 2011-03-04 15:09:14,856 DEBUG stderr=
> > 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list
> > 2011-03-04 15:09:14,858 DEBUG stdout=nscd           	0:off	1:off	2:on
> > 3:on	4:on	5:on	6:off
> >
> > 2011-03-04 15:09:14,858 DEBUG stderr=
> > 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off
> > 2011-03-04 15:09:14,958 DEBUG stdout=
> > 2011-03-04 15:09:14,958 DEBUG stderr=
> > 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd
> > --enablesssdauth --update
> > 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [  OK  ]
> > [  OK  ]
> >
> > 2011-03-04 15:09:16,402 DEBUG stderr=
> > 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin
> > 2011-03-04 15:09:16,419 DEBUG stdout=
> > 2011-03-04 15:09:16,419 DEBUG stderr=
> > 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin
> > 2011-03-04 15:09:17,424 DEBUG stdout=
> > 2011-03-04 15:09:17,424 DEBUG stderr=
> > 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin
> > 2011-03-04 15:09:18,429 DEBUG stdout=
> > 2011-03-04 15:09:18,429 DEBUG stderr=
> > 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin
> > 2011-03-04 15:09:19,432 DEBUG stdout=
> > 2011-03-04 15:09:19,432 DEBUG stderr=
> > 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin
> > 2011-03-04 15:09:20,436 DEBUG stdout=
> > 2011-03-04 15:09:20,436 DEBUG stderr=
> > 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5
> > --update --nostart
> > 2011-03-04 15:09:22,303 DEBUG stdout=
> > 2011-03-04 15:09:22,303 DEBUG stderr=
> > 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file
> > '/etc/ntp.conf'
> > 2011-03-04 15:09:22,304 DEBUG Saving Index File to
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file
> > '/etc/sysconfig/ntpd'
> > 2011-03-04 15:09:22,305 DEBUG Saving Index File to
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on
> > 2011-03-04 15:09:22,398 DEBUG stdout=
> > 2011-03-04 15:09:22,398 DEBUG stderr=
> > 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart
> > 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [  OK  ]
> > Starting ntpd: [  OK  ]
> >
> > 2011-03-04 15:09:22,537 DEBUG stderr=
> > ============
> >
> > regards
> >
> > On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote:
> >> On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
> >> Stephen Gallagher<sgallagh at redhat.com>  wrote:
> >>
> >>>
> >>>
> >>> On Mar 8, 2011, at 5:45 PM, Steven Jones<Steven.Jones at vuw.ac.nz>
> >>> wrote:
> >>>
> >>>> Keytab name: WRFILE:/etc/krb5.keytab
> >>>> KVNO Principal
> >>>> ----
> >>>> --------------------------------------------------------------------------
> >>>>
> >>>> 8><---------
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>> Looks like you have no host key in the keytab. That's the root of the
> >>> problem. Seems like IPA-client-install failed to populate it. Rob, do
> >>> you have any insight here?
> >>
> >> does /var/log/ipaclient-install.log show any error ?
> >>
> >> Simo.
> >>
> >> --
> >> Simo Sorce * Red Hat, Inc * New York
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 





More information about the Freeipa-users mailing list