Hello,
I've just noticed that kinit is not working for several but not all accounts in our FreeIPA domain (4.4.0-14.el7.centos.7). I get the following error:
on the client:
[root@caesium tiemen]# KRB5_TRACE=/dev/stdout kinit *dba* [7827] 1498729905.996951: Resolving unique ccache of type KEYRING [7827] 1498729905.997071: Getting initial credentials for dba@I.RDMEDIA.COM [7827] 1498729905.997811: Sending request (167 bytes) to I.RDMEDIA.COM [7827] 1498729905.998340: Initiating TCP connection to stream 10.100.110.36:88 [7827] 1498729906.2356: Sending TCP request to stream 10.100.110.36:88 [7827] 1498729906.9304: Received answer (204 bytes) from stream 10.100.110.36:88 [7827] 1498729906.9334: Terminating TCP connection to stream 10.100.110.36:88 [7827] 1498729906.9621: Response was from master KDC [7827] 1498729906.9683: Received error from KDC: -1765328359/Additional pre-authentication required *[7827] 1498729906.9780: Processing preauth types: 136, 133* *[7827] 1498729906.9795: Received cookie: MIT* *kinit: Generic preauthentication failure while getting initial credentials*
whereas
[root@caesium tiemen]# KRB5_TRACE=/dev/stdout kinit *admin* [7869] 1498730079.918191: Resolving unique ccache of type KEYRING [7869] 1498730079.918290: Getting initial credentials for admin@I.RDMEDIA.COM [7869] 1498730079.918896: Sending request (169 bytes) to I.RDMEDIA.COM [7869] 1498730079.919370: Initiating TCP connection to stream 10.100.110.36:88 [7869] 1498730079.922958: Sending TCP request to stream 10.100.110.36:88 [7869] 1498730079.930832: Received answer (258 bytes) from stream 10.100.110.36:88 [7869] 1498730079.930857: Terminating TCP connection to stream 10.100.110.36:88 [7869] 1498730079.930977: Response was from master KDC [7869] 1498730079.931039: Received error from KDC: -1765328359/Additional pre-authentication required *[7869] 1498730079.931106: Processing preauth types: 136, 19, 2, 133* *[7869] 1498730079.931129: Selected etype info: etype aes256-cts, salt "REDACTED", params ""* *[7869] 1498730079.931139: Received cookie: MIT*
*Password for ter@I.RDMEDIA.COM ter@I.RDMEDIA.COM:*
What could explain this difference? Where can I look to debug this?
Nevermind, the users didn't have a password set.
On 29 June 2017 at 12:02, Tiemen Ruiten t.ruiten@rdmedia.com wrote:
Hello,
I've just noticed that kinit is not working for several but not all accounts in our FreeIPA domain (4.4.0-14.el7.centos.7). I get the following error:
on the client:
[root@caesium tiemen]# KRB5_TRACE=/dev/stdout kinit *dba* [7827] 1498729905.996951: Resolving unique ccache of type KEYRING [7827] 1498729905.997071: Getting initial credentials for dba@I.RDMEDIA.COM [7827] 1498729905.997811: Sending request (167 bytes) to I.RDMEDIA.COM [7827] 1498729905.998340: Initiating TCP connection to stream 10.100.110.36:88 [7827] 1498729906.2356: Sending TCP request to stream 10.100.110.36:88 [7827] 1498729906.9304: Received answer (204 bytes) from stream 10.100.110.36:88 [7827] 1498729906.9334: Terminating TCP connection to stream 10.100.110.36:88 [7827] 1498729906.9621: Response was from master KDC [7827] 1498729906.9683: Received error from KDC: -1765328359/Additional pre-authentication required *[7827] 1498729906.9780: Processing preauth types: 136, 133* *[7827] 1498729906.9795: Received cookie: MIT* *kinit: Generic preauthentication failure while getting initial credentials*
whereas
[root@caesium tiemen]# KRB5_TRACE=/dev/stdout kinit *admin* [7869] 1498730079.918191: Resolving unique ccache of type KEYRING [7869] 1498730079.918290: Getting initial credentials for admin@I.RDMEDIA.COM [7869] 1498730079.918896: Sending request (169 bytes) to I.RDMEDIA.COM [7869] 1498730079.919370: Initiating TCP connection to stream 10.100.110.36:88 [7869] 1498730079.922958: Sending TCP request to stream 10.100.110.36:88 [7869] 1498730079.930832: Received answer (258 bytes) from stream 10.100.110.36:88 [7869] 1498730079.930857: Terminating TCP connection to stream 10.100.110.36:88 [7869] 1498730079.930977: Response was from master KDC [7869] 1498730079.931039: Received error from KDC: -1765328359/Additional pre-authentication required *[7869] 1498730079.931106: Processing preauth types: 136, 19, 2, 133* *[7869] 1498730079.931129: Selected etype info: etype aes256-cts, salt "REDACTED", params ""* *[7869] 1498730079.931139: Received cookie: MIT*
*Password for ter@I.RDMEDIA.COM ter@I.RDMEDIA.COM:*
What could explain this difference? Where can I look to debug this?
-- Tiemen Ruiten Systems Engineer R&D Media
freeipa-users@lists.fedorahosted.org