On pe, 06 loka 2017, Marius Bjørnstad wrote:
Wow that's well spotted! That IP is the 4.4 server (I just
blindly
assumed that it would use the value in krb5.conf, which is the 4.5
server). It goes to 248 every time.
strace showed me that kinit gets the IP address from
/var/lib/sss/pubconf/kdcinfo.OUS.NSC.LOCAL. This file contains only the
IP address of the other master. I changed it to 192.168.1.249, the 4.5
master, and it works!
This is fixed in 4.6.1 and backported to 4.5. In short, check
/etc/sssd/sssd.conf on the 4.5 master to see if it has _srv_ in
'ipa_server' option. If it does, remove it from there and only leave
this master's fqdn
ipa_server =
master.example.com
SSSD also was updated to not write down KDC locator file in case we are
running on IPA master (ipa_server_mode = True).
> 6. okt. 2017 kl. 11.56 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>
> On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote:
>> Thanks for the replies! I do have the krb5-pkinit package installed.
>> ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage
enable didn't fix the problem.
>>
>> $ ipa pkinit-status --server=SERVER_NAME
>> says PKINIT is disabled.
>> # ipa-pkinit-manage status
>> now says it is enabled.
>> $ ipa config-show
>> does not list any IPA masters supporting PKINIT.
>>
>> If I disable then re-enable using ipa-pkinit-manage, nothing changes.
>>
>> I should note that we now have one server on 4.4, which I daren't touch, and
this one on 4.5 which is having issues.
>>
>> This is the output from kinit -n as my user, with KRB5_TRACE on. I terminated it
at the password prompt. So there is something wrong with the KDC?
>>
>> [3790] 1507282499.679169: Resolving unique ccache of type KEYRING
>> [3790] 1507282499.679205: Getting initial credentials for
WELLKNOWN/ANONYMOUS(a)OUS.NSC.LOCAL
>> [3790] 1507282499.681014: Sending request (190 bytes) to OUS.NSC.LOCAL
>> [3790] 1507282499.681128: Initiating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.681311: Sending TCP request to stream 192.168.1.248:88
>> [3790] 1507282499.683001: Received answer (296 bytes) from stream
192.168.1.248:88
>> [3790] 1507282499.683008: Terminating TCP connection to stream 192.168.1.248:88
>> [3790] 1507282499.683039: Response was from master KDC
>> [3790] 1507282499.683053: Received error from KDC: -1765328359/Additional
pre-authentication required
>> [3790] 1507282499.683072: Processing preauth types: 136, 19, 2, 133
>> [3790] 1507282499.683079: Selected etype info: etype aes256-cts, salt
"OUS.NSC.LOCALWELLKNOWNANONYMOUS", params ""
>> [3790] 1507282499.683081: Received cookie: MIT
>> [3790] 1507282501.423154: Preauth module encrypted_timestamp (2) (real) returned:
-1765328252/Password read interrupted
>
> 192.168.1.248 -- which KDC is this? 4.4 or 4.5?
>
>
>>
>>
>>
>>> 5. okt. 2017 kl. 21.11 skrev Alexander Bokovoy <abokovoy(a)redhat.com>:
>>>
>>> On to, 05 loka 2017, Jochen Hein wrote:
>>>> Alexander Bokovoy <abokovoy(a)redhat.com> writes:
>>>>
>>>>> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>>>
>>>>>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424]
[remote
>>>>>>> 192.168.1.48:244] CalledProcessError: Command
'/usr/bin/kinit -n -c
>>>>>>> /var/run/ipa/ccaches/armor_7424 -X
>>>>>>> X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X
>>>>>>>
X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned
>>>>>>> non-zero exit status 1
>>>>>>
>>>>>> Do you have krb5-pkinit installed? I think there is a
dependency
>>>>>> missing. And I ran "ipa-pkinit-manage enable", but I
don't remember if
>>>>>> it's needed for WebUI login.
>>>>> Looking into RHEL/CentOS spec file, I see:
>>>>
>>>> Hm, then the dependency was missing for the client pakages for
Debian/Ubuntu.
>>> This should not be a problem for the case above because it is IPA
>>> master, not a client here.
>>>
>>> --
>>> / Alexander Bokovoy
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> --
> / Alexander Bokovoy
--
/ Alexander Bokovoy