On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote: Kat, does something fail, or are you simply concerned with the error showing up in the kdc logs ? This error is 'expected' in modern kerberos implementations. The original krb5 protocol did not use pre-authentication and that made it subject to offline dictionary attacks. So to "fix" this hole, pre-authentication mechanism were introduced.  The requirement to pre-authenticate is communicated to the client in form of a "Preauth required" error. This is to preserve protocol compatibility with previous clients and allow a client to discover what kind of pre-authentication is allowed by the KDC (the allowed pre-auth types list is returned together with the error). HTH, Simo.

On Fri, 2017-06-02 at 10:10 -0500, Kat wrote: I am not familiar with clouders, if it depends on the kadmin interface, then it will not work as in FreeIPA thatintrerface is read-only. If the only issue is using a keytab where they use some old kerberos component that does not handle preauthenticated encryption, then you can go into freeipa and lift the requirement to perform preauthentication for that specific principal. ipa service-mod my/principal@REALM --requires-pre-auth=false HTH, Simo. > I was also just reading:  > https://community.cloudera.com/t5/Cloudera-Manager-Installation/Add-S > upport-for-FreeIPA-to-CM/td-p/34582 > > Which has Dmitri discussing things with Cloudera. The problem seems > to be that although CM has a script for custom principal retrievals, > maybe  what I am seeing here is that it is the ipa-client install > that causes  the problems? Or am I missing the boat completely? > > -K > > > On 6/2/17 7:59 AM, Simo Sorce wrote: > > On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote: > > > Hi, > > > > > > I have read several pages on getting IPA and Clouder Manager > > > working > > > together to make nice with Kerberos, however, having an issue > > > following the various steps. When I run through CM set and put > > > the > > > primary account in I run into the classic "Preauth required" and > > > yet, > > > I can kinit the account with no issues, so I am wondering if > > > there > > > are any hints on debugging this? What is typically the cuase of > > > that > > > kind of error? > > > > Kat, does something fail, or are you simply concerned with the > > error > > showing up in the kdc logs ? > > > > This error is 'expected' in modern kerberos implementations. The > > original krb5 protocol did not use pre-authentication and that made > > it > > subject to offline dictionary attacks. > > So to "fix" this hole, pre-authentication mechanism were > > introduced. > > > > The requirement to pre-authenticate is communicated to the client > > in > > form of a "Preauth required" error. This is to preserve protocol > > compatibility with previous clients and allow a client to discover > > what > > kind of pre-authentication is allowed by the KDC (the allowed pre- > > auth > > types list is returned together with the error). > > > > HTH, > > Simo. > >