Hi Alexander,
Issue1:
Authentication failed means the RA agent certificate dogtag uses to
authenticate to LDAP server is not the same as the one mentioned in the
LDAP entry for RA agent.
I think there was some procedure to fix it but I don't have links handy.
Also, you did not specify what versions of FreeIPA you run.
1. We are using IPA version 4.5 version
[root@ipa1 ~]$ ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
Can you help us fix this issue?
2.
Status SUBMITTING means the renewal is not yet completed. It will not
complete until you get Dogtag working.
But now the status says CA_UNEACHABLE
Request ID '20180412150739':
status: CA_UNREACHABLE
ca-error: Server at https://ipa1.xxx.xxxx.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='CN=ipa1.xxx.xxxx.com,O=CORP.ENDURANCE.COM',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='CN=ipa1.xxx.xxxx.com,O=CORP.ENDURANCE.COM',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xxx.xxxx.COM
subject: CN=ipa1.xxxx.xxxxx.com,O=xxx.xxxx.COM
expires: 2019-10-25 20:16:38 UTC
principal name: krbtgt/xxx.xxxxx.COM@xxx.xxxx.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
Issue2:
We are getting this alert while we log in to UI in httpd error logs
#ipa: INFO: 401 Unauthorized: kinit: Preauthentication failed while getting initial credentials
and PKINIT was disabled
[root@ipa2 httpd]# ipa-pkinit-manage status
PKINIT is disabled
While I tried to enable this
[root@ipa2 httpd]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
the process was getting stuck, so I had to terminate it manually. After trying to enable, I'm getting "Login failed due to an unknown reason." error in web UI when I try to login
Error in httpd:
[Wed Nov 06 10:13:37.465318 2019] [:error] [pid 24416] [remote 172.27.10.113:0] mod_wsgi (pid=24416): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed Nov 06 10:13:37.465433 2019] [:error] [pid 24416] [remote 172.27.10.113:0] Traceback (most recent call last):
[Wed Nov 06 10:13:37.468706 2019] [:error] [pid 24416] [remote 172.27.10.113:0] File "/usr/share/ipa/wsgi.py", line 59, in application
[Wed Nov 06 10:13:37.470083 2019] [:error] [pid 24416] [remote 172.27.10.113:0] return api.Backend.wsgi_dispatch(environ, start_response)
[Wed Nov 06 10:13:37.470146 2019] [:error] [pid 24416] [remote 172.27.10.113:0] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 267, in __call__
[Wed Nov 06 10:13:37.473376 2019] [:error] [pid 24416] [remote 172.27.10.113:0] return self.route(environ, start_response)
[Wed Nov 06 10:13:37.473437 2019] [:error] [pid 24416] [remote 172.27.10.113:0] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 279, in route
[Wed Nov 06 10:13:37.473462 2019] [:error] [pid 24416] [remote 172.27.10.113:0] return app(environ, start_response)
[Wed Nov 06 10:13:37.473475 2019] [:error] [pid 24416] [remote 172.27.10.113:0] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 937, in __call__
[Wed Nov 06 10:13:37.476093 2019] [:error] [pid 24416] [remote 172.27.10.113:0] self.kinit(user_principal, password, ipa_ccache_name)
[Wed Nov 06 10:13:37.478843 2019] [:error] [pid 24416] [remote 172.27.10.113:0] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 973, in kinit
[Wed Nov 06 10:13:37.478864 2019] [:error] [pid 24416] [remote 172.27.10.113:0] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Wed Nov 06 10:13:37.478878 2019] [:error] [pid 24416] [remote 172.27.10.113:0] File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 127, in kinit_armor
[Wed Nov 06 10:13:37.484351 2019] [:error] [pid 24416] [remote 172.27.10.113:0] run(args, env=env, raiseonerr=True, capture_error=True)
[Wed Nov 06 10:13:37.484381 2019] [:error] [pid 24416] [remote 172.27.10.113:0] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run
[Wed Nov 06 10:13:37.487470 2019] [:error] [pid 24416] [remote 172.27.10.113:0] raise CalledProcessError(p.returncode, arg_string, str(output))
[Wed Nov 06 10:13:37.488932 2019] [:error] [pid 24416] [remote 172.27.10.113:0] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_24416 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1
And when I try to list the certificates using getcert list, there is a new cert which was added
Request ID '20191106100258':
status: CA_UNREACHABLE
ca-error: Server at https://ipa2.xxx.xxxxx.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ipa1.xxx.xxxxx.com:443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)).
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Regards
Nikita S
When
On ti, 05 marras 2019, Nikita Deeksha via FreeIPA-users wrote:
>Hi Team,
>We have 2 IPA servers in Mater-Master setup are we facing the below issue
>on these servers.
>
>Isuue1:
>Our httpd certificate has expired because of which our IPA1 UI wasn't
>working, we are getting “*loging failed due to an unknown reason*” error
>while we log in to the UI
>
>
>1. First, the IPA console was not working as httpd service was stopped,
>httpd was not starting as HTTP certificate is expired. Added
>*NSSEnforceValidCerts
>off* line in nss.conf to start the service.
>
>2. After the change IPA console was loading we are not able to login to the
>console as pki-tomcatd service was not running,
>[root@ipa1 ca]# ipactl status
>Directory Service: RUNNING
>krb5kdc Service: RUNNING
>kadmin Service: RUNNING
>httpd Service: RUNNING
>ipa-custodia Service: RUNNING
>ntpd Service: RUNNING
>pki-tomcatd Service: STOPPED
>ipa-otpd Service: RUNNING
>
># systemctl status pki-tomcatd@pki-tomcat.service -l
>● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
> Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled;
>vendor preset: disabled)
> Active: active (running) since Tue 2019-11-05 10:16:50 GMT; 31min ago
> Process: 97068 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
>status=0/SUCCESS)
> Main PID: 97233 (java)
> CGroup:
>/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service
> └─97233 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
>-DRESTEASY_LIB=/usr/share/java/resteasy-base
>-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
>/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
>-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
>-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
>-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>-Djava.security.manager
>-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
>org.apache.catalina.startup.Bootstrap start
>
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: WARNING: Exception
>processing realm com.netscape.cms.tomcat.ProxyRealm@1896e072 background
>process
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]:
>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>Nov 05 10:47:57 ipa1.xxx.xxxxx.com server[97233]: at
>java.lang.Thread.run(Thread.java:748)
>
>
>This service wasn’t starting with this error
>
># less /var/log/pki/pki-tomcat/ca/debug
>31/Oct/2019:13:24:23][localhost-startStop-1]:
>SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert
>cert-pki-ca
>[31/Oct/2019:13:24:23][localhost-startStop-1]:
>SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
>[31/Oct/2019:13:24:23][localhost-startStop-1]: SSL handshake happened
>Could not connect to LDAP server host ipa1.xxx.xxxx.com port 636 Error
>netscape.ldap.LDAPException: Authentication failed (49)
Authentication failed means the RA agent certificate dogtag uses to
authenticate to LDAP server is not the same as the one mentioned in the
LDAP entry for RA agent.
I think there was some procedure to fix it but I don't have links handy.
Also, you did not specify what versions of FreeIPA you run.
>at
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
> at
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
> at
>com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
> at
>com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
> at
>com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
> at
>com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at
>org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> at
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> at
>org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
> at
>org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
> at
>org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
> at
>org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
> at
>org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
> at
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> at
>org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> at
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> at
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> at
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>Internal Database Error encountered: Could not connect to LDAP server host
>ipa1.xxx.xxx.com port 636 Error netscape.ldap.LDAPException: Authentication
>failed (49)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> at
>com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
> at
>com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
> at
>com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at
>org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at
>org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> at
>org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> at
>org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
> at
>org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
> at
>org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
> at
>org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
> at
>org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
> at
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at
>org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> at
>org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
>org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
>org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> at
>org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at
>org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> at
>org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> at
>java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>
># getcert list
>Request ID '20180412150739':
>status: SUBMITTING
>stuck: no
>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='CN=
>ipa1.xxxx.xxxxx.com,O=xxx.xxxx.COM',token='NSS Certificate
>DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='CN=
>ipa1.xxxx.xxxxx.com,O=xxx.xxxxx.COM',token='NSS Certificate DB'
>CA: IPA
>issuer: CN=Certificate Authority,O=xxx.xxxxx.COM
>subject: CN=ipa1.xxxx.xxxx.com,O=xxx.xxxxx.COM
>expires: 2019-10-25 20:16:38 UTC
>principal name: krbtgt/xxxx.xxxx.COM@xxxx.xxxx.COM
>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>eku: id-kp-serverAuth,id-pkinit-KPKdc
>pre-save command:
>post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>track: yes
>auto-renew: yes
Status SUBMITTING means the renewal is not yet completed. It will not
complete until you get Dogtag working.
>
>Issue2:
>
>On the IPA2 server, we are unable to login with the admin user credentials
>without OTP, but when an AD user is trying to login with 2FA (i.e,
>password and OTP) we are getting this error *"The password you entered is
>incorrect."*
AD users cannot use multifactor authentication defined in IPA.
># [root@ipa2 log]# ipactl status
>Directory Service: RUNNING
>krb5kdc Service: RUNNING
>kadmin Service: RUNNING
>httpd Service: RUNNING
>ipa-custodia Service: RUNNING
>ntpd Service: RUNNING
>ipa-otpd Service: STOPPED
>ipa: INFO: The ipactl command was successful
>
># systemctl status ipa-otpd.socket -l
>● ipa-otpd.socket - ipa-otpd socket
> Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; disabled;
>vendor preset: disabled)
> Active: failed (Result: resources) since Tue 2019-11-05 08:19:04 GMT; 1h
>31min ago
> Listen: /var/run/krb5kdc/DEFAULT.socket (Stream)
> Accepted: 2; Connected: 0
>
>Nov 05 07:42:53 ipa2.xxxx.xxxx.com systemd[1]: Listening on ipa-otpd socket.
>Nov 05 08:19:04 ipa2.xxxx.xxxx.com systemd[1]: ipa-otpd.socket failed to
>queue service startup job (Maybe the service file is missing or not a
>template unit?): Resource temporarily unavailable
>Nov 05 08:19:04 ipa2.xxxx.xxxx.com systemd[1]: Unit ipa-otpd.socket entered
>failed state.
>
># cat /usr/lib/systemd/system/ipa-otpd.socket
>[Unit]
>Description=ipa-otpd socket
>
>[Socket]
>ListenStream=/var/run/krb5kdc/DEFAULT.socket
>RemoveOnStop=true
>SocketMode=0600
>Accept=true
>
>[Install]
>WantedBy=krb5kdc.service
>
>
>
>We see that data replication is broken between the 2 IPA servers, as the
>changes made on IPA2 is not reflecting on IPA1
This is most likely because your LDAP server certificate expired as
well.
>We the below errors as well.
>
>IPA1
>Nov 05 10:09:23 ipa1.xxx.xxxx.com krb5kdc[28021](info): TGS_REQ (8 etypes
>{18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE: authtime 1572948563, etypes
>{rep=18 tkt=18 ses=18}, ldap/ipa1.xxxxx.xxxx.com@xxxx.xxxxx.COM for ldap/
>ipa2.xxxx.xxxx.com@xxxx.xxxx.COM
>Nov 05 10:14:24 ipa1.corp.endurance.com krb5kdc[28021](info): TGS_REQ (8
>etypes {18 17 20 19 16 23 25 26}) x.x.x.x: ISSUE: authtime 1572948863,
>etypes {rep=18 tkt=18 ses=18}, ldap/ipa1.xxxx.xxx.com@xxxx.xxxx.COM for
>ldap/ipa2.xxxx.xxxx.com@xxxx.xxxx.COM
These aren't errors. They are normal operations: ldap/ipa1 service (LDAP
server on IPA1) asked for a Kerberos service ticket to LDAP service on
IPA2 and was granted it. This is just as it should be for replication.
>
>IPA2
># tailf krb5kdc.log
>Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): AS_REQ (8 etypes
>{18 17 20 19 16 23 25 26}) y.y.y.y: NEEDED_PREAUTH: ldap/
>ipa2.xxxx.xxxx.com@xxx.xxxx.COM for krbtgt/xxxx.xxxx.COM@xxxx.xxxx.COM,
>Additional pre-authentication required
>Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): closing down fd 11
>Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): AS_REQ (8 etypes
>{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime 1572947965, etypes
>{rep=18 tkt=18 ses=18}, ldap/ipa2.xxxx.xxxx.com@xxx.xxxx.COM for krbtgt/
>xxx.xxxx.COM@xxx.xxxx.COM
>Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): closing down fd 11
>Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): TGS_REQ (8 etypes
>{18 17 20 19 16 23 25 26}) y.y.y.y: ISSUE: authtime 1572947965, etypes
>{rep=18 tkt=18 ses=18}, ldap/ipa2.xxxx.xxxx.com@xxxx.xxxx.COM for ldap/
>ipa2.xxxx.xxxx.com@xxx.xxxx.COM
>Nov 05 09:59:25 ipa2.xxxx.xxxx.com krb5kdc[2451](info): closing down fd 11
Same here. LDAP server on IPA2 operated against itself here.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland