On Аўт, 02 сту 2024, Roberto Cornacchia via FreeIPA-users wrote:
Hi there, clients are having trouble with kerberos authentication:
$ kinit -V user
Using existing cache: xxxxxxxxxx:yyyyy
Using principal: [email protected] <[email protected]>
Password for [email protected] <[email protected]>:
kinit: Generic error (see e-text) while getting initial credentials
On the ipa server, /var/log/krb5kdc.log says:
Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) <
<http://192.168.0.202/>IP>: NEEDED_PREAUTH: [email protected]
<[email protected]> for krbtgt/[email protected],
Additional pre-authentication required
Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
11
Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ :
handle_authdata (2)
Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) <
<http://192.168.0.202/>IP>: HANDLE_AUTHDATA: user <[email protected]>
@SUB.EXAMPLE.COM <[email protected]> for krbtgt/
[email protected], No such file or directory
^^^ this means the user roberto has no SID assigned. Look into numerous
discussions on this mailing list in 2023, there are plenty of suggested
actions in those threads.
Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
11
Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) <
<http://192.168.0.16/>IP>: NEEDED_PREAUTH: ldap/
[email protected] for krbtgt/
[email protected], Additional pre-authentication required
Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
11
Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) <
<http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)},
ldap/[email protected] for
krbtgt/[email protected]
Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
11
Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): TGS_REQ (4
etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) <
<http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)},
ldap/[email protected] for
ldap/[email protected]
Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down fd
11
There are 2 ipa servers, ipa01 (Rocky 9.3, ipa 4.10.2) and ipa02 (Rock 9.1,
ipa4.10.0), both with CA and DNS. ipa02 is CRL master.
On both, ipa-healthcheck doesn't find any issue.
Also: kinit fails from within ipa01, succeeds from within ipa02.
The issue seems to be in ipa01, and I have already tried to reinstall it
from scratch. One thing that is different is the version.
Could you please help me figure out what's wrong?
Best regards,
Roberto
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
