[Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server
Dan Scott
danieljamesscott at gmail.com
Wed Sep 21 20:10:25 UTC 2011
Hi,
I have a FreeIPA 1.2 realm running.
I've installed a new server running 2.1 and migrated the user accounts
across. I've installed a client and am trying to authenticate against
the new server. I get the following errors:
djscott at pc35:~$ kinit
Password for djscott at EXAMPLE.COM:
kinit: Preauthentication failed while getting initial credentials
djscott at pc35:~$
The server krb5kdc log contains the following:
Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH:
djscott at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional
pre-authentication required
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth
(timestamp) verify failure: No matching key in entry
Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ
(4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED:
djscott at EXAMPLE.COM for krbtgtEXAMPLE.COM at EXAMPLE.COM,
Preauthentication failed
I've been to the page:
https://fileserver1.example.com/ipa/migration/
And tried to migrate my password, but I receive:
"There was a problem with your request. Please, try again later. If
the problem persists, contact your administrator."
The same error occurs when I try to authenticate as myself on the
server, although 'id djscott' returns the correct list of groups, so
it appears that LDAP is working, but Kerberos is not. I guess it's
something to do with the password migration?
Anyone know how I can figure out what's going wrong?
Thanks,
Dan Scott
More information about the Freeipa-users
mailing list