Hi, on CentOS 7 I installed Freeipa using "yum install ipa-server". Everything including client is on the same machine itself. All went well, I can now login to the web as "admin" and create user account etc. And "kinit admin", "kinit list" etc all worked as expected right after installation.
But a couple days later, even though I can still login as "admin" web user, on the server ssh session I get the following (I replaced REALM name with "REALM" here):
# kinit
kinit: Client 'root@REALM' not found in Kerberos database while getting initial credentials
# kinit admin
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
# kinit list
kinit: Client 'list@REALM' not found in Kerberos database while getting initial credentials
# env KRB5_TRACE=/dev/stdout kinit admin 2>&1
[11612] 1578511115.54729: Getting initial credentials for admin@REALM
[11612] 1578511115.54731: Sending unauthenticated request
[11612] 1578511115.54732: Sending request (167 bytes) to REALM
[11612] 1578511115.54733: Initiating TCP connection to stream 127.0.0.1:88
[11612] 1578511115.54734: Sending TCP request to stream 127.0.0.1:88
[11612] 1578511115.54735: Received answer (240 bytes) from stream 127.0.0.1:88
[11612] 1578511115.54736: Terminating TCP connection to stream 127.0.0.1:88
[11612] 1578511115.54737: Response was from master KDC
[11612] 1578511115.54738: Received error from KDC: -1765328359/Additional pre-authentication required
[11612] 1578511115.54741: Preauthenticating using KDC method data
[11612] 1578511115.54742: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-FX-COOKIE (133)
[11612] 1578511115.54743: Received cookie: MIT
[11612] 1578511115.54744: PKINIT client has no configured identity; giving up
[11612] 1578511115.54745: Preauth module pkinit (147) (info) returned: 0/Success
[11612] 1578511115.54746: PKINIT client has no configured identity; giving up
[11612] 1578511115.54747: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[11612] 1578511115.54748: PKINIT client has no configured identity; giving up
[11612] 1578511115.54749: Preauth module pkinit (14) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
# klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/ipa.host.name@REALM (aes256-cts-hmac-sha1-96)
2 host/ipa.host.name@REALM (aes128-cts-hmac-sha1-96)
2 host/ipa.host.name@REALM (des3-cbc-sha1)
2 host/ipa.host.name@REALM (arcfour-hmac)
2 host/ipa.host.name@REALM (camellia128-cts-cmac)
2 host/ipa.host.name@REALM (camellia256-cts-cmac)
So looks like I lost "admin" in kerboros?
The only thing I think I did, is I have changed the server's time and hwclock time, by 9 minutes.
Thanks!