11:19 a.m.
Hi Team,
I am running redhat 7.5 with freeipa 4.5 . I have established AD one way sync using
password.
I am able to ssh the ipa client and ipa server with windows administrator account , But
when I try to login with normal AD user I am
receiving the error " kinit: Password incorrect while getting initial
credentials"
ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
KRB5_TRACE=/dev/stdout kinit -V nandha.kumaravel(a)apxxx.xxx
[28904] 1546967107.58765: Resolving unique ccache of type KEYRING
Using new cache: persistent:0:krb_ccache_nLG0yqq
[28904] 1546967107.58777: Response was not from master KDC
[28904] 1546967107.58778: Received error from KDC: -1765328359/Additional
pre-authentication required
[28904] 1546967107.58781: Processing preauth types: 16, 15, 19, 2
[28904] 1546967107.58782: Selected etype info: etype aes256-cts, salt "APRIM.XXX
nandha.kumaravel", params ""
[28904] 1546967107.58783: PKINIT client has no configured identity; giving up
[28904] 1546967107.58784: PKINIT client has no configured identity; giving up
[28904] 1546967107.58785: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[28904] 1546967107.58786: PKINIT client has no configured identity; giving up
[28904] 1546967107.58787: Preauth module pkinit (14) (real) returned: 22/Invalid argument
Password for nandha.kumaravel(a)aprim.xxx:
[28904] 1546967125.768563: AS key obtained for encrypted timestamp: aes256-cts/675E
[28904] 1546967125.768565: Encrypted timestamp (for 1546967099.435765): plain
301AA011180F32303139303130383137303435395AA105020306A635, encrypted
D03014021DFD2120B8EC876B6A6568CEC53DFFE6AB5003028B81A18173717C2C14259C5002A41900A974FF0E2F372EECB9E7F4836AE0DD43
[28904] 1546967125.768566: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[28904] 1546967125.768567: Produced preauth for next request: 2
[
[28904] 1546967125.768577: Response was not from master KDC
[28904] 1546967125.768578: Received error from KDC: -1765328360/Preauthentication failed
[28904] 1546967125.768580: Preauth tryagain input types: 16, 14, 19, 2
[28904] 1546967125.768581: Retrying AS request with master KDC
[28904] 1546967125.768582: Getting initial credentials for nandha.kumaravel(a)aprim.xxx
[28904] 1546967125.768584: Sending request (182 bytes) to aprim.xxx (master)
kinit: Password incorrect while getting initial credentials
6:34 p.m.
New subject: kinit: Password incorrect while getting initial credentials
nandha kumar writes:
I am running redhat 7.5 with freeipa 4.5 . I have established AD one
way sync using password. I am able to ssh the ipa client and ipa
server with windows administrator account , But when I try to login
with normal AD user I am receiving the error " kinit: Password
incorrect while getting initial credentials"
Can you kinit as the administrator account?
ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
KRB5_TRACE=/dev/stdout kinit -V nandha.kumaravel(a)apxxx.xxx
[28904] 1546967107.58765: Resolving unique ccache of type KEYRING
Using new cache: persistent:0:krb_ccache_nLG0yqq
[28904] 1546967107.58777: Response was not from master KDC
[28904] 1546967107.58778: Received error from KDC: -1765328359/Additional
pre-authentication required
[28904] 1546967107.58781: Processing preauth types: 16, 15, 19, 2
[28904] 1546967107.58782: Selected etype info: etype aes256-cts, salt "APRIM.XXX
nandha.kumaravel", params ""
[28904] 1546967107.58783: PKINIT client has no configured identity; giving up
[28904] 1546967107.58784: PKINIT client has no configured identity; giving up
[28904] 1546967107.58785: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
[28904] 1546967107.58786: PKINIT client has no configured identity; giving up
[28904] 1546967107.58787: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
Password for nandha.kumaravel(a)aprim.xxx:
[28904] 1546967125.768563: AS key obtained for encrypted timestamp: aes256-cts/675E
[28904] 1546967125.768565: Encrypted timestamp (for 1546967099.435765): plain
301AA011180F32303139303130383137303435395AA105020306A635, encrypted
D03014021DFD2120B8EC876B6A6568CEC53DFFE6AB5003028B81A18173717C2C14259C5002A41900A974FF0E2F372EECB9E7F4836AE0DD43
[28904] 1546967125.768566: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[28904] 1546967125.768567: Produced preauth for next request: 2
[
[28904] 1546967125.768577: Response was not from master KDC
[28904] 1546967125.768578: Received error from KDC: -1765328360/Preauthentication failed
[28904] 1546967125.768580: Preauth tryagain input types: 16, 14, 19, 2
[28904] 1546967125.768581: Retrying AS request with master KDC
[28904] 1546967125.768582: Getting initial credentials for nandha.kumaravel(a)aprim.xxx
[28904] 1546967125.768584: Sending request (182 bytes) to aprim.xxx (master)
kinit: Password incorrect while getting initial credentials
Can you verify that your password is actually correct?
Thanks,
--Robbie
10 p.m.
New subject: kinit: Password incorrect while getting initial credentials
Hi Robbie,
Yes, I am able to kinit the administrator account
Yes. My password is correct and even I check for other 4 AD users, it gives the same
error
Regards
Nandha
3:38 p.m.
New subject: kinit: Password incorrect while getting initial credentials
nandha kumar via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Hi Robbie,
Yes, I am able to kinit the administrator account
Yes. My password is correct and even I check for other 4 AD users, it
gives the same error
I don't know that there's much I can offer you here. AD says the
password is wrong. You could check DNS and that you're talking to the
right machines (all of which you've redacted here).
Thanks,
--Robbie
4:18 a.m.
New subject: kinit: Password incorrect while getting initial credentials
On Fri, Jan 11, 2019 at 04:38:15PM -0500, Robbie Harwood via FreeIPA-users wrote:
nandha kumar via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
writes:
> Hi Robbie,
>
> Yes, I am able to kinit the administrator account
>
> Yes. My password is correct and even I check for other 4 AD users, it
> gives the same error
I don't know that there's much I can offer you here. AD says the
password is wrong. You could check DNS and that you're talking to the
right machines (all of which you've redacted here).
Besided that I wonder if there is a chance that due to some unexpected
codepage setting on the AD DC or locale on the client the salt or the
password are used in different encodings to derive the keys? I haven't
checked the RFC or MS-KILE to see if they say anything about encoding
but maybe someone knows from the top of his head?.
bye,
Sumit
Thanks,
--Robbie
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1932
days inactive
1936
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
nandha kumar -
Robbie Harwood -
Sumit Bose