Am Tue, May 17, 2022 at 02:29:24PM -0000 schrieb Joyce Babu via FreeIPA-users:
> I have a FreeIPA installation with many Pop!_OS 21.10 clients. Today I
> upgraded one of the clients to Pop!_OS 22.04, and I can no longer
> authenticate with FreeIPA on the upgraded client.
>
> In krb5kdc.log file on the server, I can see the error 'verify failure:
> Incorrect password in encrypted challenge'
>
> =======
> May 17 14:07:43 ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.14:
> NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional
> pre-authentication required
> May 17 14:07:43 ipa.myhost.com krb5kdc[301](info): closing down fd 12
> May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): preauth
> (encrypted_challenge) verify failure: Incorrect password in encrypted
> challenge
> May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.14:
> PREAUTH_FAILED: [email protected] for krbtgt/[email protected],
> Preauthentication failed
> May 17 14:07:43 ipa.myhost.com krb5kdc[302](info): closing down fd 12
> =======
>
> If I try the same username/password on a Pop!_OS 21.10 client, I can login
> successfully and I see the following log message. I tried multiple times with
> multiple users, and had the same result.
>
> =======
> May 17 14:05:51 ipa.myhost.com krb5kdc[299](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24:
> NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional
> pre-authentication required
> May 17 14:05:51 ipa.myhost.com krb5kdc[299](info): closing down fd 12
> May 17 14:05:51 ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: ISSUE:
> authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> [email protected] for krbtgt/[email protected]
> May 17 14:05:51 ipa.myhost.com krb5kdc[301](info): closing down fd 12
> May 17 14:05:51 ipa.myhost.com krb5kdc[300](info): TGS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.24: ISSUE:
> authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> [email protected] for host/[email protected]
> May 17 14:05:51 ipa.myhost.com krb5kdc[300](info): closing down fd 12
> =======
>
> What changed in Ubuntu 22.04? Could this be due to incompatible encryption
> type?
Hi,
have you checked if the keyboard encoding changed and you have to type
the special characters of the password differently now?
bye,
Sumit
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
