I'm having trouble logging in via the gui console to an Ubuntu 16
Desktop
host that is affiliated with a FreeIPA server, which in turn is affiliated
with an Active Directory server.
When I try to log in with debugging turned up on the SSSD I see an
underlying error in the krb5_child log file: Cannot find KDC for realm "
EXAMPLE.COM" while getting credentials for host/
myhost.example.com(a)EXAMPLE.COM
Following an example from the freeipa-users mailing list, I am just working
with kinit and kvno to identify the underlying problem. I get the same
error, which I suppose is good. But I don't know how to resolve it from
here. The transcript is below. On the first try at kvno, I get the same
error. On the second try, it works. Any idea why? I suspect the failure on
the first try is the real problem with authentication from the console.
Any hints what to try next?
There is no currently resolution for this. If you'd use different
domain trees (
) it would work. It would work
also for AD owning
Thanks
----- /etc/krb5.conf -----
#File modified by ipa-client-install
includedir */var/lib/sss/pubconf/krb5.include.d/*
[libdefaults]
default_realm =
EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com =
EXAMPLE.COM
example.com =
EXAMPLE.COM
----- Transcript -----
$ kdestroy -A
$ kinit aduser(a)AD.EXAMPLE.COM
Password for aduser(a)AD.EXAMPLE.COM:
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: aduser(a)AD.EXAMPLE.COM
Valid starting Expires Service principal
08/14/2017 09:59:22 08/14/2017 19:59:22 krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
renew until 08/15/2017 09:59:17
$ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com(a)EXAMPLE.COM
[1994] 1502719211.714019: Getting credentials aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM using ccache
KEYRING:persistent:1000:1000
[1994] 1502719211.714237: Retrieving aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
with result: -1765328243/Matching credential not found
[1994] 1502719211.714318: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
result: -1765328243/Matching credential not found
[1994] 1502719211.714376: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM from KEYRING:persistent:1000:1000
with result: 0/Success
[1994] 1502719211.714395: Starting with TGT for client realm:
aduser(a)AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
[1994] 1502719211.714439: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
result: -1765328243/Matching credential not found
[1994] 1502719211.714456: Requesting TGT
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM using TGT
krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
[1994] 1502719211.714486: Generated subkey for TGS request: aes256-cts/020C
[1994] 1502719211.714525: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1994] 1502719211.714605: Encoding request body and padata into FAST request
[1994] 1502719211.714662: Sending request (1686 bytes) to
AD.EXAMPLE.COM
[1994] 1502719211.717532: Resolving hostname
ad-host.ad.example.com.
[1994] 1502719211.719053: Sending initial UDP request to dgram 192.168.1.2:88
[1994] 1502719211.742171: Received answer (309 bytes) from dgram 192.168.1.2:88
[1994] 1502719211.743066: Response was not from master KDC
[1994] 1502719211.743082: Decoding FAST response
[1994] 1502719211.743109: Request or response is too big for UDP;
retrying with TCP
[1994] 1502719211.743113: Sending request (1686 bytes) to
AD.EXAMPLE.COM (tcp only)
[1994] 1502719211.743971: Resolving hostname
ad-host.ad.example.com.
[1994] 1502719211.744908: Initiating TCP connection to stream 192.168.1.2:88
[1994] 1502719211.764062: Sending TCP request to stream 192.168.1.2:88
[1994] 1502719211.805666: Received answer (1643 bytes) from stream
192.168.1.2:88
[1994] 1502719211.805678: Terminating TCP connection to stream 192.168.1.2:88
[1994] 1502719211.806709: Response was not from master KDC
[1994] 1502719211.806735: Decoding FAST response
[1994] 1502719211.806789: FAST reply key: aes256-cts/820C
[1994] 1502719211.806808: TGS reply is for aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM with session key aes256-cts/B56C
[1994] 1502719211.806822: TGS request result: 0/Success
[1994] 1502719211.806826: Storing aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM in KEYRING:persistent:1000:1000
[1994] 1502719211.806912: Received TGT for service realm:
krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
[1994] 1502719211.806915: Requesting tickets for
host/myhost.example.com(a)EXAMPLE.COM, referrals on
[1994] 1502719211.806924: Generated subkey for TGS request: aes256-cts/D365
[1994] 1502719211.806940: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1994] 1502719211.806968: Encoding request body and padata into FAST request
[1994] 1502719211.806994: Sending request (1676 bytes) to
EXAMPLE.COM (tcp only)
kvno: Cannot find KDC for realm "EXAMPLE.COM" while getting
credentials for host/myhost.example.com(a)EXAMPLE.COM
$ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com(a)EXAMPLE.COM
[1995] 1502719219.601419: Getting credentials aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM using ccache
KEYRING:persistent:1000:1000
[1995] 1502719219.601516: Retrieving aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
with result: -1765328243/Matching credential not found
[1995] 1502719219.601556: Retrieving aduser(a)AD.EXAMPLE.COM ->
krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
result: 0/Success
[1995] 1502719219.601559: Found cached TGT for service realm:
aduser(a)AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
[1995] 1502719219.601561: Requesting tickets for
host/myhost.example.com(a)EXAMPLE.COM, referrals on
[1995] 1502719219.601573: Generated subkey for TGS request: aes256-cts/5EC1
[1995] 1502719219.601592: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1995] 1502719219.601639: Encoding request body and padata into FAST request
[1995] 1502719219.601666: Sending request (1676 bytes) to
EXAMPLE.COM
[1995] 1502719219.603587: Resolving hostname
idsg-test16.example.com.
[1995] 1502719219.604856: Sending initial UDP request to dgram 192.168.1.1:88
[1995] 1502719219.621855: Received answer (1680 bytes) from dgram 192.168.1.1:88
[1995] 1502719219.622767: Response was not from master KDC
[1995] 1502719219.622783: Decoding FAST response
[1995] 1502719219.622834: FAST reply key: aes256-cts/14A3
[1995] 1502719219.622852: TGS reply is for aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM with session key aes256-cts/B41C
[1995] 1502719219.622866: TGS request result: 0/Success
[1995] 1502719219.622868: Received creds for desired service
host/myhost.example.com(a)EXAMPLE.COM
[1995] 1502719219.622871: Storing aduser(a)AD.EXAMPLE.COM ->
host/myhost.example.com(a)EXAMPLE.COM in
KEYRING:persistent:1000:1000host/myhost.example.com@EXAMPLE.COM: kvno
= 7
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org