I upgraded a Kerberos server box from Fedara 20 to 21. Since doing so, other Fedora machines (which are still using Fedora 20) can no longer authenticate:
$ kinit kinit: Cannot contact any KDC for realm 'ENDOFRAME.NET' while getting initial credentials
On the server:
# systemctl status krb5kdc ● krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/etc/systemd/system/krb5kdc.service; enabled) Active: active (running) since Tue 2014-12-16 08:27:54 EST; 24h ago Process: 22776 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 22777 (krb5kdc) CGroup: /system.slice/krb5kdc.service └─22777 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
And I'm able to kinit just fine locally on the server.
I've tried completely disabling firewalls; that didn't help.
/var/log/krb5kdc.log on the server looks like this:
otp: Loaded Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): setting up network... Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 12: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): skipping unrecognized local address family 17 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 13: udp fe80::21c:c0ff:fedf:4b55%eth0.88 krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 15: tcp 0.0.0.0.88 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 14: tcp ::.88 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): set up 4 sockets Dec 16 08:27:54 knock.endoframe.net krb5kdc[22777](info): commencing operation Dec 17 08:52:59 knock.endoframe.net krb5kdc[22777](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.10: ISSUE: authtime 1418824379, etypes {rep=18 tkt=18 ses=18}, braden@ENDOFRAME.NET for krbtgt/ENDOFRAME.NET@ENDOFRAME.NET
Where should I be looking?
selinux?
On 12/17/2014 03:12 PM, Braden McDaniel wrote:
I upgraded a Kerberos server box from Fedara 20 to 21. Since doing so, other Fedora machines (which are still using Fedora 20) can no longer authenticate:
$ kinit kinit: Cannot contact any KDC for realm 'ENDOFRAME.NET' while getting initial credentials
On the server:
# systemctl status krb5kdc ● krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/etc/systemd/system/krb5kdc.service; enabled) Active: active (running) since Tue 2014-12-16 08:27:54 EST; 24h ago Process: 22776 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 22777 (krb5kdc) CGroup: /system.slice/krb5kdc.service └─22777 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
And I'm able to kinit just fine locally on the server.
I've tried completely disabling firewalls; that didn't help.
/var/log/krb5kdc.log on the server looks like this:
otp: Loaded Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): setting up network... Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 12: udp 0.0.0.0.88 (pktinfo) krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): skipping unrecognized local address family 17 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): skipping unrecognized local address family 17 krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 13: udp fe80::21c:c0ff:fedf:4b55%eth0.88 krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 15: tcp 0.0.0.0.88 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): listening on fd 14: tcp ::.88 Dec 16 08:27:54 knock.endoframe.net krb5kdc[22776](info): set up 4 sockets Dec 16 08:27:54 knock.endoframe.net krb5kdc[22777](info): commencing operation Dec 17 08:52:59 knock.endoframe.net krb5kdc[22777](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.10: ISSUE: authtime 1418824379, etypes {rep=18 tkt=18 ses=18}, braden@ENDOFRAME.NET for krbtgt/ENDOFRAME.NET@ENDOFRAME.NET
Where should I be looking?
On 2014-12-17 09:37, fedora wrote:
selinux?
It's set to "permissive" on the F21 (server) box; shouldn't that be sufficient? Or do I need to disable it completely to make sure it isn't interfering?
On 12/17/2014 10:19 AM, Braden McDaniel wrote:
On 2014-12-17 09:37, fedora wrote:
selinux?
It's set to "permissive" on the F21 (server) box; shouldn't that be sufficient? Or do I need to disable it completely to make sure it isn't interfering?
If it is in permissive then SELinux is not the issue. Would prefer that you ran in enforcing mode though. :^)