On 11/26/18 7:38 PM, Jaroslav Shejbal via FreeIPA-users wrote:
Hi everyone,
I am pretty new to freeipa and i like it a lot but I have one problem which I cannot
solve I am using ipa-server (freeipa-server) on ubuntu 18.10 and ipa-clients debian 9, so
I am not using ipa-client package only nscd & sssd and configuration. All clients are
successfully enrolled provided with keytab file. Some clients works fine and it looks like
this (in /var/log/auth.log):
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: NEEDED_PREAUTH: host/some-working-host.domain.com(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18},
host/some-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM
Nov 26 17:54:02 ipa krb5kdc[1345]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18},
host/some-working-host.domain.com(a)DOMAIN.COM for ldap/ipa.domain.com(a)DOMAIN.COM
and some are not provided with the ldap line:
What exactly is not working? The line with ISSUE .. for
ldap/ipa.domain.com(a)DOMAIN.COM shows that the host is using kerberos
authentication to the LDAP service. To check if that part is working on
your client, you can do
[client]# kinit -kt /etc/krb5.keytab
[client]# ldapsearch -h $MASTER -Y GSSAPI -b "" -s base
HTH,
flo
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16
23 25 26}) AA.BB.CC.DD: NEEDED_PREAUTH: host/some-not-working-host.domain.com(a)DOMAIN.COM
for krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
AA.BB.CC.DD: ISSUE: authtime 1543255971, etypes {rep=18 tkt=18 ses=18},
host/some-not-working-host.domain.com(a)DOMAIN.COM for krbtgt/DOMAIN.COM(a)DOMAIN.COM
(lines with "closing down fd 12" was omitted, also hostnames IPs and domains
was replaced)
I've checked DNS settings, time difference and various logs but with no success.
I've also try to remove rm -f /var/lib/sss/db/* and reinstall client packages.
Do you have any idea where and what should I look for regarding this issue?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...