#3834 Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database
Opened a month ago by constantin05. Modified a month ago

Environment consist of:

FreeIPA + 389 Directory + Kerberos MIT + SSSD   
Client: RHEL 5.11  
Server: RHEL 7.5

Server is running on RHEL 7.5, up to this moment I have successfully tested against clients on RHEL 6 & 7, but I have an issue setting up clients on RHEL 5. I suspect a problem in the Kerberos TGT supported encryption type, but I cannot confirm this.

During the ipa-client-install debug logs, I have seen the following messages:

root : INFO Successfully retrieved CA cert
-   successfully set certificate verify locations:
-   CAfile: /etc/ipa/ca.crt
-   Closing connection #0  
    Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
    Keytab successfully retrieved and stored in: /etc/krb5.keytab

SSSD enabled  
root : DEBUG args=getent passwd admin  
root : DEBUG stdout=  
root : DEBUG stderr=  
Unable to find ‘admin’ user with ‘getent passwd admin’!

Configuration:

Kerberos

File modified by ipa-client-install
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.NAME
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = yes
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
DOMAIN.NAME = {
kdc = server.domain.name:88
master_kdc = server.domain.name:88
admin_server = server.domain.name:749
default_domain = domain.name
pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.domain.name = DOMAIN.NAME
domain.name = DOMAIN.NAME

Kerberos Keytab

[root@client-server]# klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal

2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (AES-256 CTS mode with 96-bit SHA-1 HMAC)
2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (AES-128 CTS mode with 96-bit SHA-1 HMAC)
2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (Triple DES cbc mode with HMAC/sha1)
2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (ArcFour with HMAC/md5)

SSSD

[sssd]
services = nss, pam
config_file_version = 2
debug_level = 9

domains = domain.name
[nss]
debug_level = 9

[pam]
debug_level = 9

[domain/domain.name]
cache_credentials = True
krb5_realm = DOMAIN.NAME
krb5_store_password_if_offline = True
ipa_domain = domain.name
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client-server.domain.name
chpass_provider = ipa
ipa_server = srv, server.domain.name
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

General error is:

Sep 20 12:01:20 client-server [sssd[ldap_child[31633]]]: Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

Specific SSSD errors

==> /var/log/sssd/sssd_domain.name.log <==
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_dispatch] (9): dbus conn: E25C380
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_dispatch] (9): Dispatching.
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_message_handler] (9): Received SBUS method [getAccountInfo]
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [be_get_account_info] (4): Got request for [4097][1][name=admin]
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [be_get_account_info] (4): Request processed. Returned 1,11,Fast reply - offline

==> /var/log/sssd/sssd_nss.log <==
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [get_client_cred] (9): Client creds: euid[0] egid[0] pid[7917].
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [accept_fd_handler] (6): Client connected!
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1].
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1].
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [admin] from [<all>]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/domain.name/admin]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (4): Requesting info for [admin@domain.name]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x13ca1e50

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x13ca1fb0

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Running timer event 0x13ca1e50 "ltdb_callback"

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Destroying timer event 0x13ca1fb0 "ltdb_timeout"

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Ending timer event 0x13ca1e50 "ltdb_callback"

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_send_acct_req_create] (4): Sending request for [domain.name][4097][1][name=admin]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_add_timeout] (8): 0x13ca20f0
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_remove_timeout] (8): 0x13ca20f0
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 13C98050
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_dispatch] (9): Dispatching.
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (1, 11, Fast reply - offline) from Data Provider
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam_dp_callback] (2): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [client_recv] (5): Client disconnected!
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [client_destructor] (8): Terminated client [0x13ca10e0][20]

Does

kinit -k host/client-server.domain.name@domain.name

work?

Is the '@domain.name' part of the principal in the keytab really in lower-case?

Hi,

The principal name is not in lower case, but it is the same as on the RHEL7 client where everything works fine.
On the RHEL5 client I have the following results:

[root@client-server ~]# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
-----------------------------------------------------------------------------
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (Triple DES cbc mode with HMAC/sha1)
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (ArcFour with HMAC/md5)

[root@client-server ~]# kinit -k host/client-server.domain.name@DOMAIN.NAME
kinit(v5): KDC has no support for encryption type while getting initial credentials

[root@client-server ~]# kinit -k host/client-server.domain.name@domain.name
kinit(v5): Cannot find KDC for requested realm while getting initial credentials

I have even tried the allow_weak_crypto = true parameter:

[libdefaults]
  default_realm = DOMAIN.NAME
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  allow_weak_crypto = true
  #default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  #default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  #preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

Did you set

allow_weak_crypto = true

for the KDC as well? What are the related log messages in the KDC logs?

Yes , I've set the same directive on KDC.
Cannot really find a specific error:

==> /var/log/dirsrv/slapd-DOMAIN-NAME/access <==
[21/Sep/2018:13:18:34.002915235 +0200] conn=39 op=14 UNBIND
[21/Sep/2018:13:18:34.002961729 +0200] conn=39 op=14 fd=104 closed - U1
[21/Sep/2018:13:18:40.002454382 +0200] conn=42 fd=104 slot=104 connection from server-ip to server-ip
[21/Sep/2018:13:18:40.003090287 +0200] conn=42 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[21/Sep/2018:13:18:40.005870030 +0200] conn=42 op=0 RESULT err=0 tag=101 nentries=1 etime=0.0003324465
[21/Sep/2018:13:18:40.082065262 +0200] conn=6 op=293 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=host/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.082528294 +0200] conn=6 op=293 RESULT err=0 tag=101 nentries=1 etime=0.0000620453
[21/Sep/2018:13:18:40.082668007 +0200] conn=6 op=294 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[21/Sep/2018:13:18:40.082754757 +0200] conn=6 op=294 RESULT err=0 tag=101 nentries=1 etime=0.0000112246
[21/Sep/2018:13:18:40.082908745 +0200] conn=6 op=295 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.082977641 +0200] conn=6 op=295 RESULT err=0 tag=101 nentries=1 etime=0.0000095027
[21/Sep/2018:13:18:40.083109279 +0200] conn=6 op=296 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI                                  UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.083312119 +0200] conn=6 op=296 RESULT err=0 tag=101 nentries=1 etime=0.0000258206
[21/Sep/2018:13:18:40.083455553 +0200] conn=6 op=297 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffCharskrbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[21/Sep/2018:13:18:40.083536162 +0200] conn=6 op=297 RESULT err=0 tag=101 nentries=1 etime=0.0000109979
[21/Sep/2018:13:18:40.084877948 +0200] conn=7 op=336 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=host/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.085355826 +0200] conn=7 op=336 RESULT err=0 tag=101 nentries=1 etime=0.0000666018
[21/Sep/2018:13:18:40.085544586 +0200] conn=7 op=337 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[21/Sep/2018:13:18:40.085712870 +0200] conn=7 op=337 RESULT err=0 tag=101 nentries=1 etime=0.0000212498
[21/Sep/2018:13:18:40.086014212 +0200] conn=7 op=338 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.086148962 +0200] conn=7 op=338 RESULT err=0 tag=101 nentries=1 etime=0.0000194921
[21/Sep/2018:13:18:40.086409343 +0200] conn=7 op=339 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI                                  UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.086841256 +0200] conn=7 op=339 RESULT err=0 tag=101 nentries=1 etime=0.0000541397
[21/Sep/2018:13:18:40.087123842 +0200] conn=7 op=340 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffCharskrbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[21/Sep/2018:13:18:40.087280465 +0200] conn=7 op=340 RESULT err=0 tag=101 nentries=1 etime=0.0000209183
[21/Sep/2018:13:18:40.087725247 +0200] conn=7 op=341 SRCH base="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Sep/2018:13:18:40.089009833 +0200] conn=7 op=341 RESULT err=0 tag=101 nentries=1 etime=0.0001369664
[21/Sep/2018:13:18:40.089179613 +0200] conn=7 op=342 SRCH base="cn=server-name.domain.name,cn=masters,cn=ipa,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs=ALL
[21/Sep/2018:13:18:40.089312354 +0200] conn=7 op=342 RESULT err=0 tag=101 nentries=1 etime=0.0000177481
[21/Sep/2018:13:18:40.096457697 +0200] conn=6 op=298 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI                                  UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.096925806 +0200] conn=6 op=298 RESULT err=0 tag=101 nentries=1 etime=0.0012274579
[21/Sep/2018:13:18:40.097576344 +0200] conn=6 op=299 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=ldap/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.098037030 +0200] conn=6 op=299 RESULT err=0 tag=101 nentries=1 etime=0.0000577484
[21/Sep/2018:13:18:40.098332739 +0200] conn=6 op=300 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.098469183 +0200] conn=6 op=300 RESULT err=0 tag=101 nentries=1 etime=0.0000186208
[21/Sep/2018:13:18:40.098819558 +0200] conn=6 op=301 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/server-name.domain.name@DOMAIN.NAME))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliaseskrbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.099168924 +0200] conn=6 op=301 RESULT err=0 tag=101 nentries=1 etime=0.0000441551
[21/Sep/2018:13:18:40.099462545 +0200] conn=6 op=302 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.099630288 +0200] conn=6 op=302 RESULT err=0 tag=101 nentries=1 etime=0.0000190654
[21/Sep/2018:13:18:40.100739928 +0200] conn=42 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Sep/2018:13:18:40.108959766 +0200] conn=42 op=1 RESULT err=14 tag=97 nentries=0 etime=0.0008372020, SASL bind in progress
[21/Sep/2018:13:18:40.110626686 +0200] conn=42 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Sep/2018:13:18:40.112923851 +0200] conn=42 op=2 RESULT err=14 tag=97 nentries=0 etime=0.0002420539, SASL bind in progress
[21/Sep/2018:13:18:40.113202164 +0200] conn=42 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Sep/2018:13:18:40.113882936 +0200] conn=42 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0000757528 dn="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int"
[21/Sep/2018:13:18:40.114434941 +0200] conn=42 op=4 SRCH base="cn=accounts,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipaHost)(fqdn=server-name.domain.name))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Sep/2018:13:18:40.116771339 +0200] conn=42 op=4 RESULT err=0 tag=101 nentries=1 etime=0.0002551874 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:40.117266795 +0200] conn=42 op=5 SRCH base="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Sep/2018:13:18:40.122752829 +0200] conn=42 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0005646722 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:40.123127542 +0200] conn=42 op=6 SRCH base="cn=sudo,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=20081))" attrs="objectClass ipaUniqueID cn member entryusn"
[21/Sep/2018:13:18:40.123240428 +0200] conn=42 op=6 RESULT err=0 tag=101 nentries=0 etime=0.0000210893 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:40.123684805 +0200] conn=42 op=7 SRCH base="cn=sudo,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=server-name.consil                                  ium.eu.int,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=eu,dc=int))(entryusn>=20081))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAsipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Sep/2018:13:18:40.124146001 +0200] conn=42 op=7 RESULT err=0 tag=101 nentries=0 etime=0.0000614365 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:46.154654100 +0200] conn=7 op=344 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=CMPAIBL1$@DOMAIN.NAME))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:46.155229636 +0200] conn=7 op=344 RESULT err=0 tag=101 nentries=0 etime=0.0000941003

This is the directory server access log the KDC log is at /var/log/krb5kdc.log.

Can you try if you get extra debug output when calling

KRB5_TRACE=/dev/stdout kinit -k host/client-server.domain.name@DOMAIN.NAME

Yes, apologize.
Here below the related KDC logs in regard to this client:

/var/log/krb5kdc.log:Sep 21 14:04:59 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required
/var/log/krb5kdc.log:Sep 21 14:04:59 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531499, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME
/var/log/krb5kdc.log:Sep 21 14:06:11 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required
/var/log/krb5kdc.log:Sep 21 14:06:11 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531571, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME
/var/log/krb5kdc.log:Sep 21 14:06:27 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required
/var/log/krb5kdc.log:Sep 21 14:06:27 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531587, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME

Ok, so the client asks for {18 17 16 23 1 3 2} (ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5) and the KDC sends a ticket with {rep=18 tkt=18 ses=18} (ENCTYPE_AES256_CTS_HMAC_SHA1_96).

So it looks like all is ok on the KDC side.

Did

KRB5_TRACE=/dev/stdout kinit -k host/client-server.domain.name@DOMAIN.NAME

return any extra debug output?

No, it did not returned anything now.

Login to comment on this ticket.

Metadata