Hi Team,
I am running redhat 7.5 with freeipa 4.5 . I have established AD one way sync using password. I am able to ssh the ipa client and ipa server with windows administrator account , But when I try to login with normal AD user I am receiving the error " kinit: Password incorrect while getting initial credentials"
ipa --version VERSION: 4.5.4, API_VERSION: 2.228
KRB5_TRACE=/dev/stdout kinit -V nandha.kumaravel@apxxx.xxx [28904] 1546967107.58765: Resolving unique ccache of type KEYRING Using new cache: persistent:0:krb_ccache_nLG0yqq
[28904] 1546967107.58777: Response was not from master KDC [28904] 1546967107.58778: Received error from KDC: -1765328359/Additional pre-authentication required [28904] 1546967107.58781: Processing preauth types: 16, 15, 19, 2 [28904] 1546967107.58782: Selected etype info: etype aes256-cts, salt "APRIM.XXX nandha.kumaravel", params "" [28904] 1546967107.58783: PKINIT client has no configured identity; giving up [28904] 1546967107.58784: PKINIT client has no configured identity; giving up [28904] 1546967107.58785: Preauth module pkinit (16) (real) returned: 22/Invalid argument [28904] 1546967107.58786: PKINIT client has no configured identity; giving up [28904] 1546967107.58787: Preauth module pkinit (14) (real) returned: 22/Invalid argument Password for nandha.kumaravel@aprim.xxx: [28904] 1546967125.768563: AS key obtained for encrypted timestamp: aes256-cts/675E [28904] 1546967125.768565: Encrypted timestamp (for 1546967099.435765): plain 301AA011180F32303139303130383137303435395AA105020306A635, encrypted D03014021DFD2120B8EC876B6A6568CEC53DFFE6AB5003028B81A18173717C2C14259C5002A41900A974FF0E2F372EECB9E7F4836AE0DD43 [28904] 1546967125.768566: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [28904] 1546967125.768567: Produced preauth for next request: 2 [ [28904] 1546967125.768577: Response was not from master KDC [28904] 1546967125.768578: Received error from KDC: -1765328360/Preauthentication failed [28904] 1546967125.768580: Preauth tryagain input types: 16, 14, 19, 2 [28904] 1546967125.768581: Retrying AS request with master KDC [28904] 1546967125.768582: Getting initial credentials for nandha.kumaravel@aprim.xxx [28904] 1546967125.768584: Sending request (182 bytes) to aprim.xxx (master) kinit: Password incorrect while getting initial credentials
nandha kumar writes:
I am running redhat 7.5 with freeipa 4.5 . I have established AD one way sync using password. I am able to ssh the ipa client and ipa server with windows administrator account , But when I try to login with normal AD user I am receiving the error " kinit: Password incorrect while getting initial credentials"
Can you kinit as the administrator account?
ipa --version VERSION: 4.5.4, API_VERSION: 2.228
KRB5_TRACE=/dev/stdout kinit -V nandha.kumaravel@apxxx.xxx [28904] 1546967107.58765: Resolving unique ccache of type KEYRING Using new cache: persistent:0:krb_ccache_nLG0yqq
[28904] 1546967107.58777: Response was not from master KDC [28904] 1546967107.58778: Received error from KDC: -1765328359/Additional pre-authentication required [28904] 1546967107.58781: Processing preauth types: 16, 15, 19, 2 [28904] 1546967107.58782: Selected etype info: etype aes256-cts, salt "APRIM.XXX nandha.kumaravel", params "" [28904] 1546967107.58783: PKINIT client has no configured identity; giving up [28904] 1546967107.58784: PKINIT client has no configured identity; giving up [28904] 1546967107.58785: Preauth module pkinit (16) (real) returned: 22/Invalid argument [28904] 1546967107.58786: PKINIT client has no configured identity; giving up [28904] 1546967107.58787: Preauth module pkinit (14) (real) returned: 22/Invalid argument Password for nandha.kumaravel@aprim.xxx: [28904] 1546967125.768563: AS key obtained for encrypted timestamp: aes256-cts/675E [28904] 1546967125.768565: Encrypted timestamp (for 1546967099.435765): plain 301AA011180F32303139303130383137303435395AA105020306A635, encrypted D03014021DFD2120B8EC876B6A6568CEC53DFFE6AB5003028B81A18173717C2C14259C5002A41900A974FF0E2F372EECB9E7F4836AE0DD43 [28904] 1546967125.768566: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [28904] 1546967125.768567: Produced preauth for next request: 2 [ [28904] 1546967125.768577: Response was not from master KDC [28904] 1546967125.768578: Received error from KDC: -1765328360/Preauthentication failed [28904] 1546967125.768580: Preauth tryagain input types: 16, 14, 19, 2 [28904] 1546967125.768581: Retrying AS request with master KDC [28904] 1546967125.768582: Getting initial credentials for nandha.kumaravel@aprim.xxx [28904] 1546967125.768584: Sending request (182 bytes) to aprim.xxx (master) kinit: Password incorrect while getting initial credentials
Can you verify that your password is actually correct?
Thanks, --Robbie
Hi Robbie,
Yes, I am able to kinit the administrator account
Yes. My password is correct and even I check for other 4 AD users, it gives the same error
Regards Nandha
nandha kumar via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Robbie,
Yes, I am able to kinit the administrator account
Yes. My password is correct and even I check for other 4 AD users, it gives the same error
I don't know that there's much I can offer you here. AD says the password is wrong. You could check DNS and that you're talking to the right machines (all of which you've redacted here).
Thanks, --Robbie
On Fri, Jan 11, 2019 at 04:38:15PM -0500, Robbie Harwood via FreeIPA-users wrote:
nandha kumar via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Robbie,
Yes, I am able to kinit the administrator account
Yes. My password is correct and even I check for other 4 AD users, it gives the same error
I don't know that there's much I can offer you here. AD says the password is wrong. You could check DNS and that you're talking to the right machines (all of which you've redacted here).
Besided that I wonder if there is a chance that due to some unexpected codepage setting on the AD DC or locale on the client the salt or the password are used in different encodings to derive the keys? I haven't checked the RFC or MS-KILE to see if they say anything about encoding but maybe someone knows from the top of his head?.
bye, Sumit
Thanks, --Robbie
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org