So I've just re-run the client install to avoid the noise of krb5kdc.log (just as to
why the timestamps don't match) and this is the entire block:
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>,
Additional pre-authentication required
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> for
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> for
HTTP/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:HTTP/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (1 etypes {18})
10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.248.2: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> for
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>,
Additional pre-authentication required
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
On 12 Mar 2019, at 12:04, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
On ti, 12 maalis 2019, Callum Smith wrote:
Dear Alexander,
No worries - here's the krb5kdc.log relevant area when you get a
moment. I understand that service aliases are relatively new to FreeIPA
so debugging them is proving to be a bit tricky.
Hm.. the log you provided does not include a line where host/virt-test...
client asks for a service ticket (TGS_REQ) to HTTP/virt-b... that
results in PROCESS_TGS response.
The log entries around that one are needed.
We're very grateful for your time - particularly when it may be taking
you away from things like implementing the Global Catalogue we're eager
for :D.
:) I wish I had time for that already. I'm trying to fix
https://pagure.io/freeipa/issue/7181 right now.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland