On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote:
hi everyone
I'm trying a client, when I do:
$ ipa-client-install --no-ntp --force-join Discovery was successful! ... Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed Installation failed. Rolling back changes. -- end
At server's end(one single server in domain): .. Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560685](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: host/dzien.priv.xx.xx.priv.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x, Additional pre-authentication required Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: PREAUTH_FAILED: host/dzien.priv.xx.xx.priv.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x, Preauthentication failed Jan 06 15:00:42 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: NEEDED_PREAUTH: admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x, Additional pre-authentication required Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560681](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x for krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x for ldap/swir.priv.xx.xx.priv.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): closing down fd 11 Jan 06 15:02:23 swir.priv.xx.xx.priv.xx.xx.x krb5kdc[1560686](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.5.6.17: ISSUE: authtime 1515250943, etypes {rep=18 tkt=18 ses=18}, admin@PRIVATE.xx.xx.PRIVATE.xx.xx.x for HTTP/swir.priv.xx.xx.priv.xx.xx.x@PRIVATE.xx.xx.PRIVATE.xx.xx.x -- end
But after many tries(randomly) suddenly it would succeed. Client said to use --force-join. VERSION: 4.5.0, API_VERSION: 2.228
What can a problem?
regards, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
what is the content of /etc/krb5.conf on your client? Does it contain "includedir /etc/krb5.conf.d/" and if it is the case, what is the content of the included files?
During the client installation, a temp krb5.conf is created and also contains "includedir /etc/krb5.conf.d/". If there are snippets in this directory which define parameters for the IPA realm, then the parameters might be conflicting with the ones needed by the installer.
Flo