So, I'm /this/ close to getting a pair of servers in Alaska (on very
slow links) setup for IPA authentication. I've followed the
documentation here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
since these two servers are CentOS 6.9. I'm almost certain I've got
everything setup correctly, but I'm still unable to login as an IPA user
either with SSH or with su - <username>. I get '<username> does not
exist'. However, I /can/ 'kinit admin' /and/ 'kinit mark.haney'
successfully:
[root@rad8 nnsrad]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark.haney(a)NEONOVA.NET
Valid starting Expires Service principal
10/17/17 15:05:47 10/18/17 15:05:24 krbtgt/NEONOVA.NET(a)NEONOVA.NET
Note that my user account does not exist on the local machine and never
has. And the admin account, while one exists locally, has a different
password than the IPA admin.
Rob Crittenden had me check the keytab KVNO and it matches with the KVNO
of the IPA server. The one issue I can definitely say I have is this:
kinit -kt /etc/krb5.keytab
kinit: Generic preauthentication failure while getting initial credentials
Rob said the keytab might be out of sync, but unless I'm following his
instructions incorrectly, they do match. Anyone else have ideas on how
to get this working?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net