Dear Alexander,
Some more (hopefully) helpful information with a KRB5_TRACE on while running ipa-client
install:
ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
Realm: IN.BMRC.OX.AC.UK
DNS Domain: virt.in.bmrc.ox.ac.uk
IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk
BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK>:
[7792] 1552322394.293495: ccselect module realm chose cache FILE:/tmp/krbccQ6OHiN/ccache
with client principal admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> for
server principal
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
[7792] 1552322394.293496: Getting credentials
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> ->
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
using ccache FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293497: Retrieving
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> ->
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
from FILE:/tmp/krbccQ6OHiN/ccache with result: -1765328243/Matching credential not found
(filename: /tmp/krbccQ6OHiN/ccache)
[7792] 1552322394.293498: Retrieving
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> ->
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
from FILE:/tmp/krbccQ6OHiN/ccache with result: 0/Success
[7792] 1552322394.293499: Starting with TGT for client realm:
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> ->
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
[7792] 1552322394.293500: Requesting tickets for
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>,
referrals on
[7792] 1552322394.293501: Generated subkey for TGS request: aes256-cts/6474
[7792] 1552322394.293502: etypes requested in TGS request: aes256-cts, aes128-cts,
aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[7792] 1552322394.293504: Encoding request body and padata into FAST request
[7792] 1552322394.293505: Sending request (985 bytes) to IN.BMRC.OX.AC.UK
[7792] 1552322394.293506: Resolving hostname ipa-b.virt.in.bmrc.ox.ac.uk
[7792] 1552322394.293507: Initiating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293508: Sending TCP request to stream 10.141.31.252:88
[7792] 1552322394.293509: Received answer (883 bytes) from stream 10.141.31.252:88
[7792] 1552322394.293510: Terminating TCP connection to stream 10.141.31.252:88
[7792] 1552322394.293511: Response was from master KDC
[7792] 1552322394.293512: Decoding FAST response
[7792] 1552322394.293513: FAST reply key: aes256-cts/7B54
[7792] 1552322394.293514: TGS reply is for
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> ->
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
with session key aes256-cts/0013
[7792] 1552322394.293515: TGS request result: 0/Success
[7792] 1552322394.293516: Received creds for desired service
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
[7792] 1552322394.293517: Storing
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> ->
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
in FILE:/tmp/krbccQ6OHiN/ccache
[7792] 1552322394.293519: Creating authenticator for
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK> ->
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>,
seqnum 27249405, subkey aes256-cts/2328, session key aes256-cts/0013
Unable to download CA cert from LDAP.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
On 11 Mar 2019, at 16:19, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, if i use the
ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP
via that hostname. Is this actually possible, since the TGT is _always_
going to be on ipa-b.$domain because of the nsslapd-localhost entry?
Question I have is why the client actually chooses ldap/ipa-b.$domain
itself? This is probably the easiest place to change since it is driven
by the DNS discovery so you can influence by whatever is put in the DNS
SRV records.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland