[Freeipa-users] interesting Kerberos issue
Simo Sorce
simo at redhat.com
Mon May 4 20:02:25 UTC 2015
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
> Happy Star Wars Day!
> May the Fourth be with you!
>
> So I have a strange Kerberos problem trying to figure out. On a
> CLIENT, (CentOS 7.1) if I login to account "usera" they get a ticket as
> expected. However, if I login to a 6.6 client, it doesn't seem to work.
> Both were enrolled the same, obviously one is newer.
>
> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login as
> root, bypassing kerberos, and then do "kinit admin" it works just fine.
> But if I do "kinit usera" I get:
>
> kinit: Generic preauthentication failure while getting initial credentials
>
> Which makes no sense. The account works with a 7.1 client but not a 6.x
> client?? And yet "admin" works, no matter what. What am I missing here?
Have you recently changed the user password ?
If so this symptom may indicate you are having replication issues
between your servers, and one of the client is hitting the server that
didn't get the keys replicated to it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list