You will find, if you check in the ns-slapd "errors" log that this
server may no longer be handling replication correctly.
Look in /var/log/dirsrv/slapd-INSTANCE..../errors
Look for errors where replication is not starting correctly because of
credential problems. You may have to re-init this replica.
The reason "admin" is locked out is that something gets screwed up with
the keytab file that was originally installed (I have not found the
cause yet, only experienced the exact same thing)
Once the keytab file is messed up, others servers can't authenticate and
therefore the ADMIN account gets locked out. If you restart the server,
it will clear for a little while, but go rgiht back to being locked out.
Solution - delete the replica and recreate.
~J
On 9/3/15 2:08 AM, Torsten Harenberg wrote:
Dear all,
I cannot get an "admin" kerberos token anymore on our main IPA server:
[root@ipa log]# kinit admin
kinit: Clients credentials have been revoked while getting initial
credentials
Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT:
[email protected] for
krbtgt/[email protected], Clients
credentials have been revoked
also login via HTTP is not possible anymore:
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: NEEDED_PREAUTH:
HTTP/[email protected] for
krbtgt/[email protected], Additional
pre-authentication required
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
closing down fd 11
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: ISSUE: authtime
1441271092, etypes {rep=18 tkt=18 ses=18},
HTTP/[email protected] for
krbtgt/[email protected]
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
closing down fd 11
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT:
[email protected] for
krbtgt/[email protected], Clients
credentials have been revoked
while the same works on the secondary server.
I read
http://web.mit.edu/kerberos/krb5-devel/doc/admin/lockout.html
but this did not give me a clue how to get out of this.
I am pretty sure that I never entered a wrong password, but of course
someone could have tried to log in on the Web interface.
Any idea how this can be resolved?
Kind regards
Torsten
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
