Yep you're not wrong, one of our IPA replica was being evil and spitting errors. That
replica is destined for the bin anyway so i've not worried about it. All of the
kerberos issues have now gone away - except one which is more of a question than anything.
Is it intentional that the sub-zone _kerberos._tcp SRV records are ignored and only the
top level SRV records are used. We were hoping that defining _kerberos._tcp in
.virt.in.bmrc.ox.ac.uk would work and over-ride the _kerberos._tcp SRV records in
.in.bmrc.ox.ac.uk<http://in.bmrc.ox.ac.uk>
I have a feeling this behaviour is only in the installer however.
Another (smaller) issue is that the DNS record creation as part of `ipa-client-install`
isn't working. I'm having trouble finding where to look for the error:
2019-03-12T14:43:39Z DEBUG The DNS query name does not exist:
virt-test.virt.in.bmrc.ox.ac.uk.
2019-03-12T14:43:39Z WARNING Hostname (virt-test.virt.in.bmrc.ox.ac.uk) does not have
A/AAAA record.
2019-03-12T14:43:39Z DEBUG IP check failed: cannot use loopback IP address 127.0.0.1
2019-03-12T14:43:39Z DEBUG IP check failed: cannot use loopback IP address ::1
2019-03-12T14:43:39Z DEBUG IP check successful: 10.141.17.1
2019-03-12T14:43:39Z DEBUG IP check failed: cannot use link-local IP address
fe80::546f:67ff:fe51:1c%eth0
2019-03-12T14:43:39Z DEBUG IP check successful: 10.141.17.1
2019-03-12T14:43:39Z DEBUG IP check failed: cannot use link-local IP address
fe80::546f:67ff:fe51:1c%eth0
2019-03-12T14:43:39Z DEBUG Searching for an interface of IP address: 10.141.17.1
2019-03-12T14:43:39Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
2019-03-12T14:43:39Z DEBUG Testing local IP address: 10.141.17.1/255.255.240.0 (interface:
eth0)
2019-03-12T14:43:39Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2019-03-12T14:43:39Z DEBUG debug
update delete virt-test.virt.in.bmrc.ox.ac.uk. IN A
show
send
update delete virt-test.virt.in.bmrc.ox.ac.uk. IN AAAA
show
send
update add virt-test.virt.in.bmrc.ox.ac.uk. 1200 IN A 10.141.17.1
show
send
2019-03-12T14:43:39Z DEBUG Starting external process
2019-03-12T14:43:39Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2019-03-12T14:45:23Z DEBUG Process finished, return code=1
2019-03-12T14:45:23Z DEBUG stdout=Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
virt-test.virt.in.bmrc.ox.ac.uk. 0 ANY A
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55036
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY
;; ADDITIONAL SECTION:
3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. 0 ANY TKEY gss-tsig. 1552401823 1552401823 3
NOERROR 688 YIICrAYJKoZIhvcSAQICAQBuggKbMIICl6ADAgEFoQMCAQ6iBwMFACAA
AACjggGKYYIBhjCCAYKgAwIBBaE
SGxBJTi5CTVJDLk9YLkFDLlVLoigw JqADAgEDoR8wHRsDRE5TGxZpcGEtYS5pbi5ibXJjLm94LmFjLnVro4IB
OzCCATegAwIBEqEDAgECooIBKQSCASX4L4yJ9gPwWyHU5szTktPPJP+G
Hjf/Bzworzuk1ODfJ5k/rG35UYurnk1KB0FI
RYaeblQ8CPyYZ9eAmo1l WiPHFT+GwVtiUN6nhiPno5cQway4I5BCBOAQBEuxJd96GGqMhZYZLzWZ
EomtIyl3JGL7GcuXFV62S9Dwg3FXsME3XYkBGrCQXHgXX35Yq0sh5sWI
JM/XDPfbTxDHonLc+l/FSCyXB1KlOBc0v9KGX02V3aPlc
NssV2xvk8y/ Nt/nyCI8VtzIa/6fSy/ZDpdwCkLqF2TbXY3ans6x1YbtS6GXIQtB3SFr
n5PLZ+D/s6iHDHw7x4+q2on9+zlytLJahdoJLUO6/Zbr0MQrJPTjGmEb
/RMySXyzEFz/evVVwlApnGlYY8ToIKSB8zCB8KADAgESooHoBIHl/v
gZ 5/9qdzXOnRNBsmlgXU4viWXwbncZgQJ3E14rZOybp3/V9CVon0TjA4W4
+DsvWTeFiW9TO8ItLEsy/Am5phN3JemwPbSzYlZjUUovAKcCUg19Bn9o
T6U2uopI38PxIIW7hieiQbcwu2thzjmVZCTLzl/ecxzHPhfWYbgJAz3T WLsYS+
7TvVBU7UwYrbYb6Pbs3jF6VZCkEGRUz6DrQ8ukoL/hjBNcJ7uP
MtNz9IVk61Monet/6fAT/EqIgvBYTGXySclw4/x8q2VxShtZ9NwT104+ eMijav0t8wsxeoL0HIq67w== 0
2019-03-12T14:45:23Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21780
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;virt-test.virt.in.bmrc.ox.ac.uk. IN SOA
;; AUTHORITY SECTION:
virt.in.bmrc.ox.ac.uk. 0 IN SOA ipa-a.in.bmrc.ox.ac.uk.
hostmaster.virt.in.bmrc.ox.ac.uk. 1552319704 3600 900 1209600 3600
Found zone name: virt.in.bmrc.ox.ac.uk
The master is: ipa-a.in.bmrc.ox.ac.uk
start_gssrequest
send_gssrequest
; Communication with 10.141.247.129#53 failed: timed out
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26740
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY
;; ANSWER SECTION:
3005929322.sig-ipa-a.in.bmrc.ox.ac.uk. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 22380
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY
response to SOA query was unsuccessful
2019-03-12T14:45:23Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2019-03-12T14:45:23Z ERROR Failed to update DNS records.
2019-03-12T14:45:23Z DEBUG DNS resolver: Query: virt-test.virt.in.bmrc.ox.ac.uk IN A
2019-03-12T14:45:23Z DEBUG DNS resolver: No record.
2019-03-12T14:45:23Z DEBUG DNS resolver: Query: virt-test.virt.in.bmrc.ox.ac.uk IN AAAA
2019-03-12T14:45:23Z DEBUG DNS resolver: No record.
2019-03-12T14:45:23Z DEBUG DNS resolver: Query: 1.17.141.10.in-addr.arpa. IN PTR
2019-03-12T14:45:23Z DEBUG DNS resolver: No record.
2019-03-12T14:45:23Z WARNING Missing A/AAAA record(s) for host
virt-test.virt.in.bmrc.ox.ac.uk: 10.141.17.1.
2019-03-12T14:45:23Z WARNING Missing reverse record(s) for address(es): 10.141.17.1.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
On 12 Mar 2019, at 12:37, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
On ti, 12 maalis 2019, Callum Smith wrote:
So I've just re-run the client install to avoid the noise of
krb5kdc.log (just as to why the timestamps don't match) and this is the
entire block:
In the client krb5 trace I can see it talks to four different KDCs, not
to ipa-b alone, because the krb5.conf generated during install does not
pin you to ipa-b anymore. So I guess you need to look at other KDCs logs
too.
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK><mailto:admin@IN.BMRC.OX.AC.UK>
for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK><mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>,
Additional pre-authentication required
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK><mailto:admin@IN.BMRC.OX.AC.UK>
for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK><mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK><mailto:admin@IN.BMRC.OX.AC.UK>
for
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK><mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK><mailto:admin@IN.BMRC.OX.AC.UK>
for
HTTP/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:HTTP/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK><mailto:HTTP/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (1 etypes {18})
10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK><mailto:admin@IN.BMRC.OX.AC.UK>
for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK><mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): TGS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.248.2: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
admin@IN.BMRC.OX.AC.UK<mailto:admin@IN.BMRC.OX.AC.UK><mailto:admin@IN.BMRC.OX.AC.UK>
for
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK><mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK><mailto:host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK><mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>,
Additional pre-authentication required
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes {18 17 20 19
16 23 25 26}) 10.141.17.1: ISSUE: authtime 1552392528, etypes {rep=18 tkt=18 ses=18},
host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK><mailto:host/virt-test.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
for
krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK<mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK><mailto:krbtgt/IN.BMRC.OX.AC.UK@IN.BMRC.OX.AC.UK>
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): closing down fd 11
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e.
callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk><mailto:callum@well.ox.ac.uk>
On 12 Mar 2019, at 12:04, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com><mailto:abokovoy@redhat.com>>
wrote:
On ti, 12 maalis 2019, Callum Smith wrote:
Dear Alexander,
No worries - here's the krb5kdc.log relevant area when you get a
moment. I understand that service aliases are relatively new to FreeIPA
so debugging them is proving to be a bit tricky.
Hm.. the log you provided does not include a line where host/virt-test...
client asks for a service ticket (TGS_REQ) to HTTP/virt-b... that
results in PROCESS_TGS response.
The log entries around that one are needed.
We're very grateful for your time - particularly when it may be taking
you away from things like implementing the Global Catalogue we're eager
for :D.
:) I wish I had time for that already. I'm trying to fix
https://pagure.io/freeipa/issue/7181 right now.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland