Issue #3834: Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database - sssd

SSSD / sssd

#3834 Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database

Opened 3 months ago by constantin05. Modified 3 months ago

Environment consist of:

FreeIPA + 389 Directory + Kerberos MIT + SSSD   
Client: RHEL 5.11  
Server: RHEL 7.5

Server is running on RHEL 7.5, up to this moment I have successfully tested against clients on RHEL 6 & 7, but I have an issue setting up clients on RHEL 5. I suspect a problem in the Kerberos TGT supported encryption type, but I cannot confirm this.

During the ipa-client-install debug logs, I have seen the following messages:

root : INFO Successfully retrieved CA cert
-   successfully set certificate verify locations:
-   CAfile: /etc/ipa/ca.crt
-   Closing connection #0  
    Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
    Keytab successfully retrieved and stored in: /etc/krb5.keytab

SSSD enabled  
root : DEBUG args=getent passwd admin  
root : DEBUG stdout=  
root : DEBUG stderr=  
Unable to find ‘admin’ user with ‘getent passwd admin’!

Configuration:

Kerberos

File modified by ipa-client-install
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.NAME
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = yes
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
DOMAIN.NAME = {
kdc = server.domain.name:88
master_kdc = server.domain.name:88
admin_server = server.domain.name:749
default_domain = domain.name
pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
.domain.name = DOMAIN.NAME
domain.name = DOMAIN.NAME

Kerberos Keytab

[root@client-server]# klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal

2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (AES-256 CTS mode with 96-bit SHA-1 HMAC)
2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (AES-128 CTS mode with 96-bit SHA-1 HMAC)
2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (Triple DES cbc mode with HMAC/sha1)
2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (ArcFour with HMAC/md5)

SSSD

[sssd]
services = nss, pam
config_file_version = 2
debug_level = 9

domains = domain.name
[nss]
debug_level = 9

[pam]
debug_level = 9

[domain/domain.name]
cache_credentials = True
krb5_realm = DOMAIN.NAME
krb5_store_password_if_offline = True
ipa_domain = domain.name
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client-server.domain.name
chpass_provider = ipa
ipa_server = srv, server.domain.name
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9

General error is:

Sep 20 12:01:20 client-server [sssd[ldap_child[31633]]]: Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

Specific SSSD errors

==> /var/log/sssd/sssd_domain.name.log <==
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_dispatch] (9): dbus conn: E25C380
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_dispatch] (9): Dispatching.
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_message_handler] (9): Received SBUS method [getAccountInfo]
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [be_get_account_info] (4): Got request for [4097][1][name=admin]
(Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [be_get_account_info] (4): Request processed. Returned 1,11,Fast reply - offline

==> /var/log/sssd/sssd_nss.log <==
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [get_client_cred] (9): Client creds: euid[0] egid[0] pid[7917].
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [accept_fd_handler] (6): Client connected!
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1].
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1].
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [admin] from [<all>]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/domain.name/admin]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (4): Requesting info for [admin@domain.name]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x13ca1e50

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x13ca1fb0

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Running timer event 0x13ca1e50 "ltdb_callback"

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Destroying timer event 0x13ca1fb0 "ltdb_timeout"

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Ending timer event 0x13ca1e50 "ltdb_callback"

(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_send_acct_req_create] (4): Sending request for [domain.name][4097][1][name=admin]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_add_timeout] (8): 0x13ca20f0
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_remove_timeout] (8): 0x13ca20f0
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 13C98050
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_dispatch] (9): Dispatching.
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (1, 11, Fast reply - offline) from Data Provider
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam_dp_callback] (2): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20]
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [client_recv] (5): Client disconnected!
(Thu Sep 20 17:08:01 2018) [sssd[nss]] [client_destructor] (8): Terminated client [0x13ca10e0][20]

sbose commented 3 months ago

Does

kinit -k host/client-server.domain.name@domain.name

work?

Is the '@domain.name' part of the principal in the keytab really in lower-case?

constantin05 commented 3 months ago

Hi,

The principal name is not in lower case, but it is the same as on the RHEL7 client where everything works fine.
On the RHEL5 client I have the following results:

[root@client-server ~]# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
-----------------------------------------------------------------------------
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (Triple DES cbc mode with HMAC/sha1)
   2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (ArcFour with HMAC/md5)

[root@client-server ~]# kinit -k host/client-server.domain.name@DOMAIN.NAME
kinit(v5): KDC has no support for encryption type while getting initial credentials

[root@client-server ~]# kinit -k host/client-server.domain.name@domain.name
kinit(v5): Cannot find KDC for requested realm while getting initial credentials

constantin05 commented 3 months ago

I have even tried the allow_weak_crypto = true parameter:

[libdefaults]
  default_realm = DOMAIN.NAME
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  allow_weak_crypto = true
  #default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  #default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  #preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

sbose commented 3 months ago

Did you set

allow_weak_crypto = true

for the KDC as well? What are the related log messages in the KDC logs?

constantin05 commented 3 months ago

Yes , I've set the same directive on KDC.
Cannot really find a specific error:

==> /var/log/dirsrv/slapd-DOMAIN-NAME/access <==
[21/Sep/2018:13:18:34.002915235 +0200] conn=39 op=14 UNBIND
[21/Sep/2018:13:18:34.002961729 +0200] conn=39 op=14 fd=104 closed - U1
[21/Sep/2018:13:18:40.002454382 +0200] conn=42 fd=104 slot=104 connection from server-ip to server-ip
[21/Sep/2018:13:18:40.003090287 +0200] conn=42 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[21/Sep/2018:13:18:40.005870030 +0200] conn=42 op=0 RESULT err=0 tag=101 nentries=1 etime=0.0003324465
[21/Sep/2018:13:18:40.082065262 +0200] conn=6 op=293 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=host/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.082528294 +0200] conn=6 op=293 RESULT err=0 tag=101 nentries=1 etime=0.0000620453
[21/Sep/2018:13:18:40.082668007 +0200] conn=6 op=294 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[21/Sep/2018:13:18:40.082754757 +0200] conn=6 op=294 RESULT err=0 tag=101 nentries=1 etime=0.0000112246
[21/Sep/2018:13:18:40.082908745 +0200] conn=6 op=295 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.082977641 +0200] conn=6 op=295 RESULT err=0 tag=101 nentries=1 etime=0.0000095027
[21/Sep/2018:13:18:40.083109279 +0200] conn=6 op=296 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI                                  UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.083312119 +0200] conn=6 op=296 RESULT err=0 tag=101 nentries=1 etime=0.0000258206
[21/Sep/2018:13:18:40.083455553 +0200] conn=6 op=297 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffCharskrbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[21/Sep/2018:13:18:40.083536162 +0200] conn=6 op=297 RESULT err=0 tag=101 nentries=1 etime=0.0000109979
[21/Sep/2018:13:18:40.084877948 +0200] conn=7 op=336 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=host/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.085355826 +0200] conn=7 op=336 RESULT err=0 tag=101 nentries=1 etime=0.0000666018
[21/Sep/2018:13:18:40.085544586 +0200] conn=7 op=337 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[21/Sep/2018:13:18:40.085712870 +0200] conn=7 op=337 RESULT err=0 tag=101 nentries=1 etime=0.0000212498
[21/Sep/2018:13:18:40.086014212 +0200] conn=7 op=338 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.086148962 +0200] conn=7 op=338 RESULT err=0 tag=101 nentries=1 etime=0.0000194921
[21/Sep/2018:13:18:40.086409343 +0200] conn=7 op=339 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI                                  UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.086841256 +0200] conn=7 op=339 RESULT err=0 tag=101 nentries=1 etime=0.0000541397
[21/Sep/2018:13:18:40.087123842 +0200] conn=7 op=340 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffCharskrbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[21/Sep/2018:13:18:40.087280465 +0200] conn=7 op=340 RESULT err=0 tag=101 nentries=1 etime=0.0000209183
[21/Sep/2018:13:18:40.087725247 +0200] conn=7 op=341 SRCH base="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Sep/2018:13:18:40.089009833 +0200] conn=7 op=341 RESULT err=0 tag=101 nentries=1 etime=0.0001369664
[21/Sep/2018:13:18:40.089179613 +0200] conn=7 op=342 SRCH base="cn=server-name.domain.name,cn=masters,cn=ipa,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs=ALL
[21/Sep/2018:13:18:40.089312354 +0200] conn=7 op=342 RESULT err=0 tag=101 nentries=1 etime=0.0000177481
[21/Sep/2018:13:18:40.096457697 +0200] conn=6 op=298 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI                                  UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.096925806 +0200] conn=6 op=298 RESULT err=0 tag=101 nentries=1 etime=0.0012274579
[21/Sep/2018:13:18:40.097576344 +0200] conn=6 op=299 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=ldap/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.098037030 +0200] conn=6 op=299 RESULT err=0 tag=101 nentries=1 etime=0.0000577484
[21/Sep/2018:13:18:40.098332739 +0200] conn=6 op=300 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.098469183 +0200] conn=6 op=300 RESULT err=0 tag=101 nentries=1 etime=0.0000186208
[21/Sep/2018:13:18:40.098819558 +0200] conn=6 op=301 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/server-name.domain.name@DOMAIN.NAME))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliaseskrbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:40.099168924 +0200] conn=6 op=301 RESULT err=0 tag=101 nentries=1 etime=0.0000441551
[21/Sep/2018:13:18:40.099462545 +0200] conn=6 op=302 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[21/Sep/2018:13:18:40.099630288 +0200] conn=6 op=302 RESULT err=0 tag=101 nentries=1 etime=0.0000190654
[21/Sep/2018:13:18:40.100739928 +0200] conn=42 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Sep/2018:13:18:40.108959766 +0200] conn=42 op=1 RESULT err=14 tag=97 nentries=0 etime=0.0008372020, SASL bind in progress
[21/Sep/2018:13:18:40.110626686 +0200] conn=42 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Sep/2018:13:18:40.112923851 +0200] conn=42 op=2 RESULT err=14 tag=97 nentries=0 etime=0.0002420539, SASL bind in progress
[21/Sep/2018:13:18:40.113202164 +0200] conn=42 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[21/Sep/2018:13:18:40.113882936 +0200] conn=42 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0000757528 dn="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int"
[21/Sep/2018:13:18:40.114434941 +0200] conn=42 op=4 SRCH base="cn=accounts,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipaHost)(fqdn=server-name.domain.name))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Sep/2018:13:18:40.116771339 +0200] conn=42 op=4 RESULT err=0 tag=101 nentries=1 etime=0.0002551874 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:40.117266795 +0200] conn=42 op=5 SRCH base="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Sep/2018:13:18:40.122752829 +0200] conn=42 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0005646722 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:40.123127542 +0200] conn=42 op=6 SRCH base="cn=sudo,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=20081))" attrs="objectClass ipaUniqueID cn member entryusn"
[21/Sep/2018:13:18:40.123240428 +0200] conn=42 op=6 RESULT err=0 tag=101 nentries=0 etime=0.0000210893 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:40.123684805 +0200] conn=42 op=7 SRCH base="cn=sudo,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=server-name.consil                                  ium.eu.int,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=eu,dc=int))(entryusn>=20081))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAsipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Sep/2018:13:18:40.124146001 +0200] conn=42 op=7 RESULT err=0 tag=101 nentries=0 etime=0.0000614365 notes=P pr_idx=0 pr_cookie=-1
[21/Sep/2018:13:18:46.154654100 +0200] conn=7 op=344 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=CMPAIBL1$@DOMAIN.NAME))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Sep/2018:13:18:46.155229636 +0200] conn=7 op=344 RESULT err=0 tag=101 nentries=0 etime=0.0000941003

Edited 3 months ago by constantin05

sbose commented 3 months ago

This is the directory server access log the KDC log is at /var/log/krb5kdc.log.

Can you try if you get extra debug output when calling

KRB5_TRACE=/dev/stdout kinit -k host/client-server.domain.name@DOMAIN.NAME

constantin05 commented 3 months ago

Yes, apologize.
Here below the related KDC logs in regard to this client:

/var/log/krb5kdc.log:Sep 21 14:04:59 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required
/var/log/krb5kdc.log:Sep 21 14:04:59 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531499, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME
/var/log/krb5kdc.log:Sep 21 14:06:11 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required
/var/log/krb5kdc.log:Sep 21 14:06:11 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531571, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME
/var/log/krb5kdc.log:Sep 21 14:06:27 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required
/var/log/krb5kdc.log:Sep 21 14:06:27 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531587, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME

sbose commented 3 months ago

Ok, so the client asks for {18 17 16 23 1 3 2} (ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5) and the KDC sends a ticket with {rep=18 tkt=18 ses=18} (ENCTYPE_AES256_CTS_HMAC_SHA1_96).

So it looks like all is ok on the KDC side.

Did

KRB5_TRACE=/dev/stdout kinit -k host/client-server.domain.name@DOMAIN.NAME

return any extra debug output?

constantin05 commented 3 months ago

No, it did not returned anything now.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

minor

Milestone

None

type

None

component

None

version

None

testsupdated

None

selected

None

patch

None

rhbz

None

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3834 Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database Opened 3 months ago by constantin05. Modified 3 months ago

Close issue as:

Environment consist of:

During the ipa-client-install debug logs, I have seen the following messages:

Configuration:

Metadata

#3834 Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database

Opened 3 months ago by constantin05. Modified 3 months ago