[Freeipa-users] interesting Kerberos issue
Dmitri Pal
dpal at redhat.com
Mon May 4 17:30:02 UTC 2015
On 05/04/2015 11:49 AM, Janelle wrote:
> Happy Star Wars Day!
> May the Fourth be with you!
>
> So I have a strange Kerberos problem trying to figure out. On a
> CLIENT, (CentOS 7.1) if I login to account "usera" they get a ticket
> as expected. However, if I login to a 6.6 client, it doesn't seem to
> work. Both were enrolled the same, obviously one is newer.
>
> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
> as root, bypassing kerberos, and then do "kinit admin" it works just
> fine. But if I do "kinit usera" I get:
>
> kinit: Generic preauthentication failure while getting initial
> credentials
>
> Which makes no sense. The account works with a 7.1 client but not a
> 6.x client?? And yet "admin" works, no matter what. What am I missing
> here?
>
> ~J
>
This is really strange. What does happen on the server when you try
kinit usera? Have you checked the KDC log?
Look at the usera entry, may be there is some strange attribute there
that causes this failure. Compare with admin entry. May be it will shed
some light.
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list