Hi Alexander, Thanks for the quick reply, I will look into that.
Roberto On Tue, 2 Jan 2024 at 17:04, Alexander Bokovoy <[email protected]> wrote: > On Аўт, 02 сту 2024, Roberto Cornacchia via FreeIPA-users wrote: > >Hi there, clients are having trouble with kerberos authentication: > > > >$ kinit -V user > >Using existing cache: xxxxxxxxxx:yyyyy > >Using principal: [email protected] <[email protected]> > >Password for [email protected] <[email protected]>: > >kinit: Generic error (see e-text) while getting initial credentials > > > >On the ipa server, /var/log/krb5kdc.log says: > > > >Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6 > etypes > >{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > >aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > >camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) < > ><http://192.168.0.202/>IP>: NEEDED_PREAUTH: [email protected] > ><[email protected]> for krbtgt/[email protected], > >Additional pre-authentication required > >Dec 24 14:40:34 ipa01.sub.example.com krb5kdc[3324](info): closing down > fd > >11 > >Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ : > >handle_authdata (2) > >Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (6 > etypes > >{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > >aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > >camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) < > ><http://192.168.0.202/>IP>: HANDLE_AUTHDATA: user < > [email protected]> > >@SUB.EXAMPLE.COM <[email protected]> for krbtgt/ > >[email protected], No such file or directory > > ^^^ this means the user roberto has no SID assigned. Look into numerous > discussions on this mailing list in 2023, there are plenty of suggested > actions in those threads. > > >Dec 24 14:40:51 ipa01.sub.example.com krb5kdc[3324](info): closing down > fd > >11 > >Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4 > etypes > >{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > >aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) < > ><http://192.168.0.16/>IP>: NEEDED_PREAUTH: ldap/ > >[email protected] for krbtgt/ > >[email protected], Additional pre-authentication required > >Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down > fd > >11 > >Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): AS_REQ (4 > etypes > >{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > >aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) < > ><http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes > >{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), > >ses=aes256-cts-hmac-sha1-96(18)}, > >ldap/[email protected] for > >krbtgt/[email protected] > >Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down > fd > >11 > >Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): TGS_REQ (4 > >etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > >aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) < > ><http://192.168.0.16/>IP>: ISSUE: authtime 1703425257, etypes > >{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), > >ses=aes256-cts-hmac-sha1-96(18)}, > >ldap/[email protected] for > >ldap/[email protected] > >Dec 24 14:40:57 ipa01.sub.example.com krb5kdc[3324](info): closing down > fd > >11 > > > >There are 2 ipa servers, ipa01 (Rocky 9.3, ipa 4.10.2) and ipa02 (Rock > 9.1, > >ipa4.10.0), both with CA and DNS. ipa02 is CRL master. > >On both, ipa-healthcheck doesn't find any issue. > > > >Also: kinit fails from within ipa01, succeeds from within ipa02. > > > >The issue seems to be in ipa01, and I have already tried to reinstall it > >from scratch. One thing that is different is the version. > > > >Could you please help me figure out what's wrong? > > > >Best regards, > >Roberto > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
