Hello the list,
I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
On the host in question klist gives the following (note that kinit works, even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
sles01:~ # kvno host/sles01.example.org@EXAMPLE.ORG
host/sles01.example.org@EXAMPLE.ORG: kvno = 3
Also, I've compared NTP and there's only ~2.5ms offset between the two hosts.
Increasing the logging level of sssd to debug_level=9 which does not generate more logs.
On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
On the host in question klist gives the following (note that kinit works, even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG
^^^
(aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
sles01:~ # kvno host/sles01.example.org@EXAMPLE.ORG
host/sles01.example.org@EXAMPLE.ORG: kvno = 3
^^^
The host keys stored in /etc/krb5.keytab got out of sync, the keytab still has KVNO 1 while the current one is already 3.
Most probably someone called ipa-getkeytab without writing the result back to /etc/krb5.keytab. ipa-getkeytab be default will generate new keys, you have to use the option --retrieve to get the current keys.
To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf option on sles01.example.org to update /etc/krb5.keytab.
HTH
bye, Sumit
Also, I've compared NTP and there's only ~2.5ms offset between the two hosts.
Increasing the logging level of sssd to debug_level=9 which does not generate more logs.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I ran the ipa-getkeytab command you suggested below: This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" user. I got the same result with the admin user.
~] IPA-02 # kinit IPAUSER Password for x_IPAUSER@INT.EXAMPLE.COM: ********
~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p IPAUSER --retrieve Failed to parse result: Insufficient access rights
Failed to get keytab
Many thanks
On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
On the host in question klist gives the following (note that kinit works, even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG
^^^
(aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
sles01:~ # kvno host/sles01.example.org@EXAMPLE.ORG
host/sles01.example.org@EXAMPLE.ORG: kvno = 3
^^^
The host keys stored in /etc/krb5.keytab got out of sync, the keytab still has KVNO 1 while the current one is already 3.
Most probably someone called ipa-getkeytab without writing the result back to /etc/krb5.keytab. ipa-getkeytab be default will generate new keys, you have to use the option --retrieve to get the current keys.
To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf option on sles01.example.org to update /etc/krb5.keytab.
HTH
bye, Sumit
Also, I've compared NTP and there's only ~2.5ms offset between the two hosts.
Increasing the logging level of sssd to debug_level=9 which does not generate more logs.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Mon, Dec 04, 2017 at 09:37:41AM +0000, James Harrison wrote:
I ran the ipa-getkeytab command you suggested below: This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" user. I got the same result with the admin user.
~] IPA-02 # kinit IPAUSER Password for x_IPAUSER@INT.EXAMPLE.COM: ********
~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p IPAUSER --retrieve Failed to parse result: Insufficient access rights
The keytab content should be protected like a clear text password, hence not even IPA admin users have access by default and I would recommend to only use the --retrieve option of ipa-getkeytab if it is really needed, i.e. that the keys really have to be used at two different places and there is no other secure way to copy the keytab content. If you just want to get /etc/krb5.keytab up-to-date, just do not use the --retrieve option.
If you still want to use --retrieve, you can find the details about setting the permissions e.g. at https://www.freeipa.org/page/V4/Keytab_Retrieval_Management.
HTH
bye, Sumit
Failed to get keytab
Many thanks
On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
On the host in question klist gives the following (note that kinit works, even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG
^^^
(aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
sles01:~ # kvno host/sles01.example.org@EXAMPLE.ORG
host/sles01.example.org@EXAMPLE.ORG: kvno = 3
^^^
The host keys stored in /etc/krb5.keytab got out of sync, the keytab still has KVNO 1 while the current one is already 3.
Most probably someone called ipa-getkeytab without writing the result back to /etc/krb5.keytab. ipa-getkeytab be default will generate new keys, you have to use the option --retrieve to get the current keys.
To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf option on sles01.example.org to update /etc/krb5.keytab.
HTH
bye, Sumit
Also, I've compared NTP and there's only ~2.5ms offset between the two hosts.
Increasing the logging level of sssd to debug_level=9 which does not generate more logs.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
UPDATE: The principle info wrong. I did this and the error hasnt shown up since: [root@ipa-02 ~]# ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p host/ipa-02 --retrieve Keytab successfully retrieved and stored in: /etc/krb5.keytab
Thanks for all your help.
On Monday, 4 December 2017, 09:53:55 GMT, Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Mon, Dec 04, 2017 at 09:37:41AM +0000, James Harrison wrote:
I ran the ipa-getkeytab command you suggested below: This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" user. I got the same result with the admin user.
~] IPA-02 # kinit IPAUSER Password for x_IPAUSER@INT.EXAMPLE.COM: ********
~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p IPAUSER --retrieve Failed to parse result: Insufficient access rights
The keytab content should be protected like a clear text password, hence not even IPA admin users have access by default and I would recommend to only use the --retrieve option of ipa-getkeytab if it is really needed, i.e. that the keys really have to be used at two different places and there is no other secure way to copy the keytab content. If you just want to get /etc/krb5.keytab up-to-date, just do not use the --retrieve option.
If you still want to use --retrieve, you can find the details about setting the permissions e.g. at https://www.freeipa.org/page/V4/Keytab_Retrieval_Management.
HTH
bye, Sumit
Failed to get keytab
Many thanks
On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent.
In this hosts /var/log/sssd/ldap_child.log
<27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed
<27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
<27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed
On the FreeIPA server from /var/log/krb5kdc.log
17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Additional pre-authentication required
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example.org@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG, Preauthentication failed
On the host in question klist gives the following (note that kinit works, even if ssh login does not):
sles01:~ # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
1 12/01/17 04:30:40 host/sles01.example.org@EXAMPLE.ORG
^^^
(aes128-cts-hmac-sha1-96)
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
kinit: Preauthentication failed while getting initial credentials
sles01:~ # kinit admin
Password for admin@EXAMPLE.ORG:
sles01:~ # kvno host/sles01.example.org@EXAMPLE.ORG
host/sles01.example.org@EXAMPLE.ORG: kvno = 3
^^^
The host keys stored in /etc/krb5.keytab got out of sync, the keytab still has KVNO 1 while the current one is already 3.
Most probably someone called ipa-getkeytab without writing the result back to /etc/krb5.keytab. ipa-getkeytab be default will generate new keys, you have to use the option --retrieve to get the current keys.
To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf option on sles01.example.org to update /etc/krb5.keytab.
HTH
bye, Sumit
Also, I've compared NTP and there's only ~2.5ms offset between the two hosts.
Increasing the logging level of sssd to debug_level=9 which does not generate more logs.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org