Hello the list,

I’ve seen this issue on the list several times, but I’ve not yet seen a solution posted., We’re having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent.

In this hosts /var/log/sssd/ldap_child.log

<27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -  Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -  Preauthentication failed

<27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -  Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -  Preauthentication failed

On the FreeIPA server from /var/log/krb5kdc.log

17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed

On the host in question klist gives the following (note that kinit works, even if ssh login does not):

sles01:~ # klist -kte

Keytab name: FILE:/etc/krb5.keytab

KVNO Timestamp         Principal

---- ----------------- --------------------------------------------------------

   1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)

   1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)

sles01:~ # kinit admin

Password for admin@EXAMPLE.ORG:

kinit: Preauthentication failed while getting initial credentials

sles01:~ # kinit admin

Password for admin@EXAMPLE.ORG:

sles01:~ # kvno host/sles01.example.org@EXAMPLE.ORG

host/sles01.example.org@EXAMPLE.ORG: kvno = 3

Also, I’ve compared NTP and there’s only ~2.5ms offset between the two hosts.

Increasing the logging level of sssd to debug_level=9 which does not generate more logs.