[Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 2 18:09:27 UTC 2015
On Tue, Jun 02, 2015 at 10:39:31AM +0200, Christopher Lamb wrote:
> Hi Jakub
>
> Yes root login works, that's how I've been getting into the box.
>
> Surprisingly, kinit with my user seems to work on that box. After entering
> my password when prompted, it returns to the commandline without error.
>
> However if I try kinit with another FreeIPA user, then instead of prompting
> for a password, it gives "Generic preauthentication failure while getting
> initial credentials" error.
>
> Having set debug_level=10, when I try and ssh in with my FreeIPA user, I
> find errors like
>
> "Retrieving host .... with result: .. Matching credential not found"
>
> "Received error from KDC ... Additional pre-authentication required"
>
> "Received error from KDC... Decrypt integrity check failed"
>
> "Received error code 1432158219"
Replied more in-depth off-list because the logs came in a private mail
but for anyone having similar symptoms -- the Kerberos tracing info
includes the IP address of the KDC we're trying to talk to. It's worth
checking if it's the server that knows the user principal etc..
More information about the Freeipa-users
mailing list