[Freeipa-users] Re: krb5kdc: No such file or directory

[Roberto Cornacchia via FreeIPA-users]

Restarting krb5kdc doesn't help, and although it restarts, it complains
about /run/krb5kdc.pid.

[ipa01 ~]# systemctl restart krb5kdc
[ipa01 ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
     Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
preset: disabled)
     Active: active (running) since Tue 2024-01-02 16:45:10 CET; 8s ago
    Process: 43349 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 43351 (krb5kdc)
      Tasks: 3 (limit: 48859)
     Memory: 6.6M
        CPU: 70ms
     CGroup: /system.slice/krb5kdc.service
             ├─43351 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2
             ├─43352 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2
             └─43353 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2

Jan 02 16:45:09 ipa01.hq.spinque.com systemd[1]: Starting Kerberos 5 KDC...
Jan 02 16:45:10 ipa01.hq.spinque.com systemd[1]: krb5kdc.service: Can't
open PID file /run/krb5kdc.pid (yet?) after start: Operation not permitted
Jan 02 16:45:10 ipa01.hq.spinque.com systemd[1]: Started Kerberos 5 KDC.

[ipa01 ~]# ll /run/krb5kdc.pid
-rw-r--r--. 1 root root 6 Jan  2 16:45 /run/krb5kdc.pid

[ipa01 ~]# kinit roberto
Password for robe...@hq.spinque.com:
kinit: Generic error (see e-text) while getting initial credentials


On Tue, 2 Jan 2024 at 16:19, Roberto Cornacchia <
roberto.cornacc...@gmail.com> wrote:

> Hi there, clients are having trouble with kerberos authentication:
>
> $ kinit -V user
> Using existing cache: xxxxxxxxxx:yyyyy
> Using principal: u...@sub.example.com <robe...@sub.example.com>
> Password for u...@sub.example.com <robe...@sub.example.com>:
> kinit: Generic error (see e-text) while getting initial credentials
>
> On the ipa server, /var/log/krb5kdc.log says:
>
> Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) <
> <http://192.168.0.202/>IP>: NEEDED_PREAUTH: u...@sub.example.com
> <robe...@sub.example.com> for krbtgt/sub.example....@sub.example.com,
> Additional pre-authentication required
> Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): closing down
> fd 11
> Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ :
> handle_authdata (2)
> Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) <
> <http://192.168.0.202/>IP>: HANDLE_AUTHDATA: user
> <robe...@sub.example.com>@SUB.EXAMPLE.COM <robe...@sub.example.com> for
> krbtgt/sub.example....@sub.example.com, No such file or directory
> Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): closing down
> fd 11
> Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4
> etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) <
> <http://192.168.0.16/>IP>: NEEDED_PREAUTH: ldap/
> ipa01.sub.example....@sub.example.com for krbtgt/
> sub.example....@sub.example.com, Additional pre-authentication required
> Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down
> fd 11
> Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4
> etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) <
> <http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes
> {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
> ses=aes256-cts-hmac-sha1-96(18)}, ldap/
> ipa01.sub.example....@sub.example.com for krbtgt/
> sub.example....@sub.example.com
> Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down
> fd 11
> Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): TGS_REQ (4
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) <
> <http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes
> {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
> ses=aes256-cts-hmac-sha1-96(18)}, ldap/
> ipa01.sub.example....@sub.example.com for ldap/
> ipa02.sub.example....@sub.example.com
> Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down
> fd 11
>
> There are 2 ipa servers, ipa01 (Rocky 9.3, ipa 4.10.2) and ipa02 (Rock
> 9.1, ipa4.10.0), both with CA and DNS. ipa02 is CRL master.
> On both, ipa-healthcheck doesn't find any issue.
>
> Also: kinit fails from within ipa01, succeeds from within ipa02.
>
> The issue seems to be in ipa01, and I have already tried to reinstall it
> from scratch. One thing that is different is the version.
>
> Could you please help me figure out what's wrong?
>
> Best regards,
> Roberto
>

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue