Hi Alexander,
Thanks for the quick reply, I will look into that.
Roberto
On Tue, 2 Jan 2024 at 17:04, Alexander Bokovoy abokovoy@redhat.com wrote:
On Аўт, 02 сту 2024, Roberto Cornacchia via FreeIPA-users wrote:
Hi there, clients are having trouble with kerberos authentication:
$ kinit -V user Using existing cache: xxxxxxxxxx:yyyyy Using principal: user@SUB.EXAMPLE.COM roberto@SUB.EXAMPLE.COM Password for user@SUB.EXAMPLE.COM roberto@SUB.EXAMPLE.COM: kinit: Generic error (see e-text) while getting initial credentials
On the ipa server, /var/log/krb5kdc.log says:
Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6
etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) < http://192.168.0.202/IP>: NEEDED_PREAUTH: user@SUB.EXAMPLE.COM roberto@SUB.EXAMPLE.COM for krbtgt/SUB.EXAMPLE.COM@SUB.EXAMPLE.COM, Additional pre-authentication required Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): closing down
fd
11 Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ : handle_authdata (2) Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6
etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) < http://192.168.0.202/IP>: HANDLE_AUTHDATA: user <
roberto@SUB.EXAMPLE.COM>
@SUB.EXAMPLE.COM roberto@SUB.EXAMPLE.COM for krbtgt/ SUB.EXAMPLE.COM@SUB.EXAMPLE.COM, No such file or directory
^^^ this means the user roberto has no SID assigned. Look into numerous discussions on this mailing list in 2023, there are plenty of suggested actions in those threads.
Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): closing down
fd
11 Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4
etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) < http://192.168.0.16/IP>: NEEDED_PREAUTH: ldap/ ipa01.sub.example.com@SUB.EXAMPLE.COM for krbtgt/ SUB.EXAMPLE.COM@SUB.EXAMPLE.COM, Additional pre-authentication required Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down
fd
11 Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4
etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) < http://192.168.0.16/IP>: ISSUE: authtime 1703425257, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, ldap/ipa01.sub.example.com@SUB.EXAMPLE.COM for krbtgt/SUB.EXAMPLE.COM@SUB.EXAMPLE.COM Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down
fd
11 Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) < http://192.168.0.16/IP>: ISSUE: authtime 1703425257, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, ldap/ipa01.sub.example.com@SUB.EXAMPLE.COM for ldap/ipa02.sub.example.com@SUB.EXAMPLE.COM Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down
fd
11
There are 2 ipa servers, ipa01 (Rocky 9.3, ipa 4.10.2) and ipa02 (Rock
9.1,
ipa4.10.0), both with CA and DNS. ipa02 is CRL master. On both, ipa-healthcheck doesn't find any issue.
Also: kinit fails from within ipa01, succeeds from within ipa02.
The issue seems to be in ipa01, and I have already tried to reinstall it from scratch. One thing that is different is the version.
Could you please help me figure out what's wrong?
Best regards, Roberto
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland