Hi,
i have maybe an IPA server which is a little bit broken (My NFS services don’t work, i can’t mount - the rest is working.).
I see this messages:
ipa-client-install: Kerberos authentication failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed Installation failed. Force set so not rolling back changes.
krb5kdc.log: Aug 23 10:49:26 pipa.ims.intern krb5kdc[2333](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.75.57.122: NEEDED_PREAUTH: host/pxe-122.ims.intern@IMS.INTERN for krbtgt/IMS.INTERN@IMS.INTERN, Additional pre-authentication required Aug 23 10:49:26 pipa.ims.intern krb5kdc[2334](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.75.57.122: PREAUTH_FAILED: host/pxe-122.ims.intern@IMS.INTERN for krbtgt/IMS.INTERN@IMS.INTERN, Preauthentication failed
What does this mean? What can be broken on the IPA server?
Thanx for any help!
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Detlev Habicht via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi,
i have maybe an IPA server which is a little bit broken (My NFS services don’t work, i can’t mount - the rest is working.).
I see this messages:
ipa-client-install: Kerberos authentication failed: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed Installation failed. Force set so not rolling back changes.
krb5kdc.log:
Aug 23 10:49:26 pipa.ims.intern krb5kdc[2333](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.75.57.122: NEEDED_PREAUTH: host/pxe-122.ims.intern@IMS.INTERN for krbtgt/IMS.INTERN@IMS.INTERN, Additional pre-authentication required Aug 23 10:49:26 pipa.ims.intern krb5kdc[2334](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 130.75.57.122: PREAUTH_FAILED: host/pxe-122.ims.intern@IMS.INTERN for krbtgt/IMS.INTERN@IMS.INTERN, Preauthentication failed
What does this mean? What can be broken on the IPA server?
Well, it means that the client and server (KDC specifically) don't agree on the state of the world enough to grant credentials. Usually this means:
- passwords are wrong/mistyped - clocks are not synchronized - krb5kdc can't connect to ldap proprly (it should yell about this in logs though)
Thanks, --Robbie
freeipa-users@lists.fedorahosted.org