Hi Alexander,

Thanks for the quick reply, I will look into that.

Roberto

On Tue, 2 Jan 2024 at 17:04, Alexander Bokovoy <abokovoy@redhat.com> wrote:
On Аўт, 02 сту 2024, Roberto Cornacchia via FreeIPA-users wrote:
>Hi there, clients are having trouble with kerberos authentication:
>
>$ kinit -V user
>Using existing cache: xxxxxxxxxx:yyyyy
>Using principal: user@SUB.EXAMPLE.COM <roberto@SUB.EXAMPLE.COM>
>Password for user@SUB.EXAMPLE.COM <roberto@SUB.EXAMPLE.COM>:
>kinit: Generic error (see e-text) while getting initial credentials
>
>On the ipa server, /var/log/krb5kdc.log says:
>
>Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6 etypes
>{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) <
><http://192.168.0.202/>IP>: NEEDED_PREAUTH: user@SUB.EXAMPLE.COM
><roberto@SUB.EXAMPLE.COM> for krbtgt/SUB.EXAMPLE.COM@SUB.EXAMPLE.COM,
>Additional pre-authentication required
>Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
>11
>Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ :
>handle_authdata (2)
>Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6 etypes
>{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) <
><http://192.168.0.202/>IP>: HANDLE_AUTHDATA: user <roberto@SUB.EXAMPLE.COM>
>@SUB.EXAMPLE.COM <roberto@SUB.EXAMPLE.COM> for krbtgt/
>SUB.EXAMPLE.COM@SUB.EXAMPLE.COM, No such file or directory

^^^ this means the user roberto has no SID assigned. Look into numerous
discussions on this mailing list in 2023, there are plenty of suggested
actions in those threads.

>Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
>11
>Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4 etypes
>{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) <
><http://192.168.0.16/>IP>: NEEDED_PREAUTH: ldap/
>ipa01.sub.example.com@SUB.EXAMPLE.COM for krbtgt/
>SUB.EXAMPLE.COM@SUB.EXAMPLE.COM, Additional pre-authentication required
>Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
>11
>Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4 etypes
>{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) <
><http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes
>{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
>ses=aes256-cts-hmac-sha1-96(18)},
>ldap/ipa01.sub.example.com@SUB.EXAMPLE.COM for
>krbtgt/SUB.EXAMPLE.COM@SUB.EXAMPLE.COM
>Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
>11
>Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): TGS_REQ (4
>etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) <
><http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes
>{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
>ses=aes256-cts-hmac-sha1-96(18)},
>ldap/ipa01.sub.example.com@SUB.EXAMPLE.COM for
>ldap/ipa02.sub.example.com@SUB.EXAMPLE.COM
>Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
>11
>
>There are 2 ipa servers, ipa01 (Rocky 9.3, ipa 4.10.2) and ipa02 (Rock 9.1,
>ipa4.10.0), both with CA and DNS. ipa02 is CRL master.
>On both, ipa-healthcheck doesn't find any issue.
>
>Also: kinit fails from within ipa01, succeeds from within ipa02.
>
>The issue seems to be in ipa01, and I have already tried to reinstall it
>from scratch. One thing that is different is the version.
>
>Could you please help me figure out what's wrong?
>
>Best regards,
>Roberto




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland