Dear Alexander,

No worries - here's the krb5kdc.log relevant area when you get a moment. I understand that service aliases are relatively new to FreeIPA so debugging them is proving to be a bit tricky.

Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH: admin@IN.BMRC.OX.AC.UK for krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK, Additional pre-authentication required
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18}, admin@IN.BMRC.OX.AC.UK for krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18}, admin@IN.BMRC.OX.AC.UK for ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18}, admin@IN.BMRC.OX.AC.UK for HTTP/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (1 etypes {18}) 10.141.17.1: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18}, admin@IN.BMRC.OX.AC.UK for krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.248.2: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18}, admin@IN.BMRC.OX.AC.UK for ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH: host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK for krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK, Additional pre-authentication required
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552388071, etypes {rep=18 tkt=18 ses=18}, host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK for krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11

We're very grateful for your time - particularly when it may be taking you away from things like implementing the Global Catalogue we're eager for :D.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk

On 12 Mar 2019, at 11:52, Alexander Bokovoy <abokovoy@redhat.com> wrote:

On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
ldap/ipa-b.virt.$domain > ldap/ipa-b.$domain
HTTP/ipa-b.virt.$domain > HTTP/ipa-b.$domain

both aliases as above - krb5trace should be in attachments on previous message.
My bad. Thanks, can you also give krb5kdc.log output from the KDC server the
client talked to?

It looks like KDC is not finding something and returning PROCESS_TGS. I
have no time to look into details right now.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland