On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote:
hi everyone
I'm trying a client, when I do:
$ ipa-client-install --no-ntp --force-join
Discovery was successful!
...
Also note that following ports are necessary for ipa-client working
properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529638936):
Preauthentication failed
Installation failed. Rolling back changes.
-- end
At server's end(one single server in domain):
..
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560685](info):
closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH:
host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x,
Additional pre-authentication required
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
closing down fd 11
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
preauth (encrypted_timestamp) verify failure: Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED:
host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x,
Preauthentication failed
Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info):
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH:
admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x,
Additional pre-authentication required
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info):
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime
1515250943, etypes {rep=18 tkt=18 ses=18},
admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime
1515250943, etypes {rep=18 tkt=18 ses=18},
admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
ldap/swir.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
closing down fd 11
Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info):
TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime
1515250943, etypes {rep=18 tkt=18 ses=18},
admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
HTTP/swir.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
-- end
But after many tries(randomly) suddenly it would succeed. Client said to
use --force-join.
VERSION: 4.5.0, API_VERSION: 2.228
What can a problem?
regards, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
what is the content of /etc/krb5.conf on your client? Does it contain
"includedir /etc/krb5.conf.d/" and if it is the case, what is the
content of the included files?
During the client installation, a temp krb5.conf is created and also
contains "includedir /etc/krb5.conf.d/". If there are snippets in this
directory which define parameters for the IPA realm, then the parameters
might be conflicting with the ones needed by the installer.
Flo