Hi,
I am getting an error logging into a FreeIPA server from a new FreeIPA client. I have reset the password for the user using "kinit admin" but still no joy. Is there another password that is needing to be set?.
Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Password has expired Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Decrypt integrity check failed Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Password has expired Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Decrypt integrity check failed
Any advice would be appreciated.
Patrick
On Fri, Jul 14, 2017 at 02:02:03AM -0000, patrick.mchale--- via FreeIPA-users wrote:
Hi,
I am getting an error logging into a FreeIPA server from a new FreeIPA client. I have reset the password for the user using "kinit admin" but still no joy. Is there another password that is needing to be set?.
Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Password has expired Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Decrypt integrity check failed Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Password has expired Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Decrypt integrity check failed
sssd should have prompted you for the new password.. The "Decrypt integrity check failed" sounds like the wrong password was entered, though.
does kinit $user work?
Hi Jakub,
Apologies for hijacking the thread but you reminded me of a longstanding issue - I can't manually use kinit on my client nodes. As I operate a jump server that means I get a ticket on first login but when i login to other client systems the ticket gives me entry but doesn't follow me. When I try to run kinit for my user the following message is printed:
$ kinit callum kinit: Generic preauthentication failure while getting initial credentials
Not a single local log entry is generated. Any ideas?
Thanks,
On Fri, Jul 14, 2017 at 7:22 AM Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 14, 2017 at 02:02:03AM -0000, patrick.mchale--- via FreeIPA-users wrote:
Hi,
I am getting an error logging into a FreeIPA server from a new FreeIPA
client. I have reset the password for the user using "kinit admin" but still no joy. Is there another password that is needing to be set?.
Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Password has expired Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Decrypt integrity
check failed
Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Password has expired Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Decrypt integrity
check failed
sssd should have prompted you for the new password.. The "Decrypt integrity check failed" sounds like the wrong password was entered, though.
does kinit $user work? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Fri, Jul 14, 2017 at 08:10:39AM +0000, Callum Guy via FreeIPA-users wrote:
Hi Jakub,
Apologies for hijacking the thread but you reminded me of a longstanding issue - I can't manually use kinit on my client nodes. As I operate a jump server that means I get a ticket on first login but when i login to other client systems the ticket gives me entry but doesn't follow me. When I try to run kinit for my user the following message is printed:
$ kinit callum kinit: Generic preauthentication failure while getting initial credentials
Not a single local log entry is generated. Any ideas?
kinit doesn't generate logs unless you set the KRB5_TRACE variable, e.g. KRB5_TRACE=/dev/stderr kinit callum
Thanks for that Jakub.
Following a review of the output I've found that this is simply a known conflict with OTP:
https://www.freeipa.org/page/V4/OTP#kinit_Method
On Fri, Jul 14, 2017 at 9:20 AM Jakub Hrozek jhrozek@redhat.com wrote:
On Fri, Jul 14, 2017 at 08:10:39AM +0000, Callum Guy via FreeIPA-users wrote:
Hi Jakub,
Apologies for hijacking the thread but you reminded me of a longstanding issue - I can't manually use kinit on my client nodes. As I operate a
jump
server that means I get a ticket on first login but when i login to other client systems the ticket gives me entry but doesn't follow me. When I
try
to run kinit for my user the following message is printed:
$ kinit callum kinit: Generic preauthentication failure while getting initial
credentials
Not a single local log entry is generated. Any ideas?
kinit doesn't generate logs unless you set the KRB5_TRACE variable, e.g. KRB5_TRACE=/dev/stderr kinit callum
freeipa-users@lists.fedorahosted.org
-
Callum Guy -
Jakub Hrozek -
patrick.mchale@nzx.com