On 08/01/18 22:46, Robbie Harwood wrote:
lejeczek via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
writes:
> $ ipa-client-install --no-ntp --force-join
>
> krb5kdc[1560686](info): preauth (encrypted_timestamp) verify
> failure: Preauthentication failed
>
> But after many tries(randomly) suddenly it would succeed.
Do the clocks match on the client and server?
Thanks,
--Robbie
First thing I checked was the clock - yes.
Client log attached in hope it would reveal more.
And one more time, server's end, /var/log/krb5kdc.log:
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22663](info): closing down fd 11
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22665](info): AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes {rep=18
tkt=18 ses=18}, admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22665](info): closing down fd 11
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22661](info): TGS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes
{rep=18 tkt=18 ses=18}, admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
for
ldap/swir.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
Jan 09 18:58:27 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22661](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22665](info): TGS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.17: ISSUE: authtime 1515524307, etypes
{rep=18 tkt=18 ses=18}, admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
for
HTTP/swir.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22665](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22661](info): TGS_REQ (1 etypes {18}) 10.5.6.17:
ISSUE: authtime 1515524307, etypes {rep=18 tkt=18 ses=18},
admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22661](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22668](info): TGS_REQ (8 etypes {18 17 20 19 16 23
25 26}) 10.5.6.32: ISSUE: authtime 1515524307, etypes
{rep=18 tkt=18 ses=18}, admin(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
for
ldap/swir.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22668](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22668](info): AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.5.6.17: NEEDED_PREAUTH:
host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x,
Additional pre-authentication required
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22668](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22665](info): preauth (encrypted_timestamp) verify
failure: Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22665](info): AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.5.6.17: PREAUTH_FAILED:
host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x,
Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22665](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22662](info): AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.5.6.17: NEEDED_PREAUTH:
host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x,
Additional pre-authentication required
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22662](info): closing down fd 11
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22661](info): preauth (encrypted_timestamp) verify
failure: Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22661](info): AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.5.6.17: PREAUTH_FAILED:
host/dzien.priv.xx.xx.priv.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x
for
krbtgt/PRIVATE.xx.xx.PRIVATE.xx.xx.x(a)PRIVATE.xx.xx.PRIVATE.xx.xx.x,
Preauthentication failed
Jan 09 18:58:28 swir.priv.xx.xx.priv.xx.xx.x
krb5kdc[22661](info): closing down fd 11