[Freeipa-users] Needed_Preauth Issue
Simo Sorce
ssorce at redhat.com
Tue Mar 9 15:55:51 UTC 2010
On Mon, 08 Mar 2010 18:15:05 -0600
David Christensen <david at adurotec.com> wrote:
> I have two servers that I have installed the ipa-client on, both of
> these servers are configured the same way however one is providing
> single sign on, the other is not and instead prompts for a password
> when a user logs in
>
> I did verify that DNS is configured correctly for both servers. I
> issue kinit prior to logging into either server and verified that I
> have a valid ticket for both servers, but the failing server remains
> unchanged. When I look at the krb5kdc.log I see the following for the
> server that is prompting for a password:
>
> Mar 08 23:25:53 ipa1.example.net krb5kdc[12320](info): AS_REQ (12
> etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.200.3.131:
> NEEDED_PREAUTH: davidc at EXAMPLE.NET for
> krbtgt/EXAMPLE.NET at EXAMPLE.NET, Additional pre-authentication required
>
> Mar 08 23:25:53 ipa1.example.net krb5kdc[12320](info): AS_REQ (12
> etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.200.3.131: ISSUE:
> authtime 1268090753, etypes {rep=18 tkt=18 ses=18},
> davidc at EXAMPLE.NET for krbtgt/EXAMPLE.NET at EXAMPLE.NET
>
> Where else should I look to find the root cause of this issue? What
> typically causes this type of symptom?
NEEDED_PREAUTH is perfectly natural, you have it for every principal as
it is our default. If you don't see your client requesting a ticket for
host/<your.server.fqdn>@EXAMPLE.NET then that is going to be an issue.
If you obtained a ticket for your server and it still falls back to
password auth I suggest looking at the server's logs.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list