When I want to enroll en new machine the ipa-client-install process
bails out with the error "Failed to retrieve encryption type DES cbc
mode with CRC-32 (#1)" .
The output below is the debug output:
[root@apa01-tst ~]# ipa-client-install -d --domain=example.com
<http://example.com> --mkhomedir -w otpass --realm=EXAMPLE.COM
<http://EXAMPLE.COM> --ntp-server=ns01.example.com
<http://ns01.example.com> --unattended
root : DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': True, 'domain': 'example.com
<http://example.com>', 'uninstall': False, 'force': False, 'sssd': True,
'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'mkhomedir': True,
'dns_updates': False, 'preserve_sssd': False, 'debug': True,
'on_master': False, 'ca_cert_file': None, 'realm_name': 'EXAMPLE.COM
<http://EXAMPLE.COM>', 'unattended': True, 'ntp_server':
'ns01.example.com <http://ns01.example.com>', 'principal': None}
root : DEBUG missing options might be asked for interactively
later
root : DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG [IPA Discovery]
root : DEBUG Starting IPA discovery with domain=example.com
<http://example.com>, servers=None,
hostname=apa01-tst.chn1.oob.example.com
<http://apa01-tst.chn1.oob.example.com>
root : DEBUG Search for LDAP SRV record in example.com
<http://example.com>
root : DEBUG [ipadnssearchldap]
root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG Verifying that auth01.example.com
<http://auth01.example.com> (realm EXAMPLE.COM <http://EXAMPLE.COM>) is
an IPA server
root : DEBUG Init ldap with: ldap://auth01.example.com:389
<http://auth01.example.com:389>
root : DEBUG Search LDAP server for IPA base DN
root : DEBUG Check if naming context 'dc=pp,dc=ams' is for IPA
root : DEBUG Naming context 'dc=pp,dc=ams' is a valid IPA context
root : DEBUG Search for (objectClass=krbRealmContainer) in
dc=pp,dc=ams(sub)
root : DEBUG Found: [('cn=EXAMPLE.COM
<http://EXAMPLE.COM>,cn=kerberos,dc=pp,dc=ams', {'krbSubTrees':
['dc=pp,dc=ams'], 'cn': ['EXAMPLE.COM <http://EXAMPLE.COM>'],
'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass':
['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope':
['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal',
'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special',
'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
'arcfour-hmac:normal', 'arcfour-hmac:special'], 'krbMaxTicketLife':
['86400'], 'krbMaxRenewableAge': ['604800']})]
root : DEBUG Discovery result: Success;
server=auth01.example.com <http://auth01.example.com>,
domain=example.com <http://example.com>, kdc=auth01.example.com
<http://auth01.example.com>, basedn=dc=pp,dc=ams
root : DEBUG Validated servers: auth01.example.com
<http://auth01.example.com>
root : DEBUG will use domain: example.com <http://example.com>
root : DEBUG [ipadnssearchldap(example.com <http://example.com>)]
root : DEBUG DNS validated, enabling discovery
root : DEBUG will use discovered server: auth01.example.com
<http://auth01.example.com>
Discovery was successful!
root : DEBUG will use cli_realm: EXAMPLE.COM <http://EXAMPLE.COM>
root : DEBUG will use cli_basedn: dc=pp,dc=ams
Hostname: apa01-tst.chn1.oob.example.com
<http://apa01-tst.chn1.oob.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: auth01.example.com <http://auth01.example.com>
BaseDN: dc=pp,dc=ams
Synchronizing time with KDC...
root : DEBUG args=/usr/sbin/ntpdate -U ntp -s -b
auth01.example.com <http://auth01.example.com>
root : DEBUG stdout=
root : DEBUG stderr=
root : DEBUG Writing Kerberos configuration to /tmp/tmpM19nuR:
#File modified by ipa-client-install
[libdefaults]
default_realm = EXAMPLE.COM <http://EXAMPLE.COM>
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM <http://EXAMPLE.COM> = {
kdc = auth01.example.com:88 <http://auth01.example.com:88>
master_kdc = auth01.example.com:88 <http://auth01.example.com:88>
admin_server = auth01.example.com:749 <http://auth01.example.com:749>
default_domain = example.com <http://example.com>
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
example.com <http://example.com> = EXAMPLE.COM <http://EXAMPLE.COM>
root : INFO OTP case, CA cert preexisted, use it
root : DEBUG args=/usr/sbin/ipa-join -s auth01.example.com
<http://auth01.example.com> -b dc=pp,dc=ams -d -w XXXXXXXX
root : DEBUG stdout=
root : DEBUG stderr=request done: ld 0x172d1d10 msgid 1
request done: ld 0x172d1d10 msgid 2
request done: ld 0x172d1d10 msgid 3
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=EXAMPLE.COM <http://EXAMPLE.COM>
Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
root : DEBUG args=/usr/kerberos/bin/kinit -k -t
/etc/krb5.keytab host/[email protected]
<mailto:[email protected]>
root : DEBUG stdout=
root : DEBUG stderr=kinit(v5): Password incorrect while
getting initial credentials
Failed to obtain host TGT.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
