[PLUG] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified
Tyrell Jentink
tyrell at jentink.net
Thu Oct 27 02:56:34 UTC 2016
Hello all,
I'm currently playing with FreeIPA on Fedora 24; I've had a bit of success
in the past (Fedora 20 days), but I'm having a bit of trouble with more
modern clients... Specifically, I seem to be able to authenticate OLD
(Pidora 20) clients against my new Fedora 24 FreeIPA server without a
problem, but I can't get modern Fedora 24 FreeIPA clients to update DNS
records... At face value, seemingly a bug with new clients, but I also
seem to be the only one having this issue, so I'm assuming the problem is
with the operator, not the machine :o
I've been trying to bug the Freeipa-users mailing list with this one... But
have thus far met with mostly silence... So I'm broadening my search.
Anyone here good with FreeIPA or possibly GSSAPI and willing to walk me
through diagnosing this one? If not, I'll just keep bugging the
Freeipa-users list ;)
Details on what I've tried and where I am below. Thank you in advance for
your assistance!
-- Tyrell Jentink
Hello all,
>
> I'm still having problems with my IPA Client install... My errors aren't
> bringing up any meaningful results on Google, so I really appreciate any
> hints anyone might have!
>
> To narrow the scope of the problem, I simply rebuilt both the server and
> the client from scratch... This time without Active Directory Realm trusts,
> so things are nice and clean. To wit, I have been using
> http://www.freeipa.org/page/Active_Directory_trust_setup and https://blog.
> christophersmart.com/articles/freeipa-how-to-fedora/ as references, and I
> have run the following:
>
> ON THE SERVER:
>
> - dnf -y update && dnf install -y "*ipa-server" "*ipa-server-trust-ad"
> "*ipa-server-dns" bind bind-dyndb-ldap
> - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
> /etc/hosts
> (I also added the AD server to my hosts file, although that shouldn't
> be messing with anything...)
> - hostname ipa_hostname.ipa_domain
> - hostnamectl set-hostname ipa_hostname.ipa_domain
> - reboot (And took a snapshot of the VM)
> - for x in freeipa-ldap freeipa-ldaps dns ntp; do firewall-cmd
> --permanent --zone=FedoraServer --add-service=${x} ; done
> - systemctl reload firewalld.service
> - ipa-server-install --setup-dns --no-forwarders
> (I had no errors there... But I can share my logs if anyone wants to
> see them)
> - And I rebooted again, took another snapshot, and verified the
> following:
> - kinit admin
> id admin
> getent passwd admin
> All return appropriate values on the server...
> - nslookup ipa_hostname.ipa_domain works on both the server and on
> the client...
>
> So, ON TO THE CLIENT:
>
> - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
> /etc/hosts
> - echo "nameserver ipa_ip_address" >> /etc/resolv.conf
> - (OF course, I verified that the client can ping the server, and
> nslookup against the server)
> - ipa-client-install --enable-dns-updates --ssh-trust-dns --force-ntpd
> And this is where I ran into problems... My output:
>
> Discovery was successful!
>> Client hostname: trainmaster.ipa.rxrhouse.net
>> Realm: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
>> DNS Domain: ipa.rxrhouse.net
>> IPA Server: ipa-pdc.ipa.rxrhouse.net
>> BaseDN: dc=ipa,dc=rxrhouse,dc=net
>> Continue to configure the system with these values? [no]: yes
>> Synchronizing time with KDC...
>> Attempting to sync time using ntpd. Will timeout after 15 seconds
>> Attempting to sync time using ntpd. Will timeout after 15 seconds
>> Unable to sync time with NTP server, assuming the time is in sync. Please
>> check
>>
>> that 123 UDP port is opened.
>> User authorized to enroll computers: admin
>> Password for admin at IPA.RXRHOUSE.NET:
>> Successfully retrieved CA cert
>> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>> <http://ipa.rxrhouse.net/>
>> Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
>> <http://ipa.rxrhouse.net/>
>> Valid From: Thu Sep 08 17:27:47 2016 UTC
>> Valid Until: Mon Sep 08 17:27:47 2036 UTC
>> Enrolled in IPA realm IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
>> Created /etc/ipa/default.conf
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
>> <http://ipa.rxrhouse.net/>
>> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
>> Forwarding 'ping' to json server 'https://ipa-pdc.ipa.rxrhouse.
>> net/ipa/json'
>> Forwarding 'ca_is_enabled' to json server 'https://ipa-pdc.ipa.rxrhouse.
>> net/ipa/json'
>> Systemwide CA database updated.
>> Failed to update DNS records.
>> Missing reverse record(s) for address(es): 10.42.0.100.
>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>> Forwarding 'host_mod' to json server 'https://ipa-pdc.ipa.rxrhouse.
>> net/ipa/json'
>> Could not update DNS SSHFP records.
>> SSSD enabled
>> Configured /etc/openldap/ldap.conf
>> NTP enabled
>> Configured /etc/ssh/ssh_config
>> Configured /etc/ssh/sshd_config
>> Configuring ipa.rxrhouse.net as NIS domain.
>> Client configuration complete.
>
>
>
> - Of interest, I DID solve my NTP issues from before! On the
> downside, that wasn't the source of my DNS issues...
> In /var/log/ipaclient-install, I still have the following clipping of
> errors, which I'm merely assuming are the relevant piece:
>
> 2016-10-26T23:30:40Z DEBUG Starting external process
>> 2016-10-26T23:30:40Z DEBUG args=/sbin/ip -oneline address show dev enp1s6
>> 2016-10-26T23:30:40Z DEBUG Process finished, return code=0
>> 2016-10-26T23:30:40Z DEBUG stdout=2: enp1s6 inet 10.42.0.100/8 brd
>> 10.255.255.255 scope global dynamic enp1s6\ valid_lft 588384sec
>> preferred_lft 588384sec
>> 2: enp1s6 inet6 fe80::e779:3263:960d:ff87/64 scope link \
>> valid_lft forever preferred_lft forever
>>
>> 2016-10-26T23:30:40Z DEBUG stderr=
>> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
>> /etc/ipa/.dns_update.txt:
>> 2016-10-26T23:30:40Z DEBUG debug
>>
>> update delete trainmaster.ipa.rxrhouse.net. IN A
>> show
>> send
>>
>> update delete trainmaster.ipa.rxrhouse.net. IN AAAA
>> show
>> send
>>
>> update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100
>> show
>> send
>>
>> 2016-10-26T23:30:40Z DEBUG Starting external process
>> 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
>> /etc/ipa/.dns_update.txt
>> 2016-10-26T23:30:40Z DEBUG Process finished, return code=1
>> 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> trainmaster.ipa.rxrhouse.net. 0 ANY A
>>
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
>> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; QUESTION SECTION:
>> ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>> 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640
>> 1477524640 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA
>> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow
>> KKADAgEBoSEwHxsDRE5TGxhpc
>> GEtcGRjLmlwYS5yeHJob3VzZS5uZXSj ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIRyL2cGKhgVeg8UlZTp1+Eyg
>> QTBUAKE0e6NMtlIkxk9oJWldmUiP6UW7gcoxn66qvHyzHAqrlUNdFAcC
>> jKlsM2cRchfNTTom0QCeFn37eQICFdYo7NsrugG4DN/XT/rjNhohCSEl
>> O2tKYqiVBpjnyDF4OwC1nLcDpzBJr3nbSl
>> sh21NQJhGj+B/GPMJqpkl/ 12HJpyjeaRjqzCD2csdvGOolH89yAhFjbmpAErBdVPD+ATAEYX+aRbEc
>> 3k2idj7AcEqeQpNr5XCoCLAeyqOz/qgYrHYnrBabysbkjF0JRRoEO6BD
>> cJjeMpqai36WtW1MAs+byXBtudap0UEnx8xpub/MN7cCzJYn5sEkTOyK pSp4s/fiRyaX9O+
>> dxXK1xrBblg6kgfAwge2gAwIBEqK
>> B5QSB4rnd/vP+ s2nrQ/yBkWRVnvqyWrTqfc213iyvIR+pNvE2T9t3F1qRPcdF4OQ8soQ4
>> kQIVQOZUQZlY3NhYS08M/Rb3wUfi+Im/Z47v6//QMxb2igbPMx7/RELf
>> YHbZorXSKwzx5tkV2+JwtelUW6T5yw3PugyRueg0tdQH5lp4nrEbWNhY
>> VTDe9njUO/WCgp6ZEp+aJGVxR9qeZMVrJMYwHHF+je2fwZifztXD
>> 6cU/ Eki79Nk6HzhilK3pMOLuIvF2Kfpucj6aDiabvlplptzio9cqml8Li3E0
>> gEN/ATloKcVgtNA= 0
>>
>>
>> 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738
>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;trainmaster.ipa.rxrhouse.net. IN SOA
>>
>> ;; AUTHORITY SECTION:
>> ipa.rxrhouse.net. 0 IN SOA ipa-pdc.ipa.rxrhouse.net
>> . hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
>>
>> Found zone name: ipa.rxrhouse.net
>> The master is: ipa-pdc.ipa.rxrhouse.net
>> start_gssrequest
>> Found realm from ticket: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
>> send_gssrequest
>> recvmsg reply from GSS-TSIG query
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
>> ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
>>
>> ;; ANSWER SECTION:
>> 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805
>> 1466388205 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw
>> MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
>> AwIBAaELMAkbB2FkLXBkYyQ=
>> 0
>>
>> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
>> failure. Minor code may provide more information, Minor = Message stream
>> modified.
>>
>> 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
>> /etc/ipa/.dns_update.txt' returned non-zero exit status 1
>> 2016-10-26T23:30:40Z ERROR Failed to update DNS records.
>> 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
>> trainmaster.ipa.rxrhouse.net IN A
>> 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
>> 2016-10-26T23:30:40Z DEBUG DNS resolver: Query:
>> trainmaster.ipa.rxrhouse.net IN AAAA
>> 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
>> 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa.
>> IN PTR
>> 2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
>> 2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
>> trainmaster.ipa.rxrhouse.net: 10.42.0.100.
>> 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for address(es):
>> 10.42.0.100.
>>
> -- Full logs can be found here: http://pastebin.com/90dG9Ffu
>
> - For grins, I decided to test:
> kinit admin
> id admin
> getent passwd admin
> on the client, and all of those all made valid responses... So
> authentication is working, I just can't update DNS records.
>
>
> So that's what I've tried, and where I'm at... My client machines running
> modern client software can NOT update DNS records, complaining about GSSAPI
> "Message Stream Modified" errors... And I have no idea how to troubleshoot
> that... Any ideas?
>
More information about the PLUG
mailing list