[Freeipa-users] interesting Kerberos issue

[Janelle]

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>> Happy Star Wars Day!
>> May the Fourth be with you!
>>
>> So I have a strange Kerberos problem trying to figure out.  On a
>> CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
>> ticket as
>> expected.  However, if I login to a 6.6 client, it doesn't seem to
>> work.
>> Both were enrolled the same, obviously one is newer.
>>
>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>> as
>> root, bypassing kerberos, and then do "kinit admin" it works just
>> fine.
>> But if I do "kinit usera" I get:
>>
>> kinit: Generic preauthentication failure while getting initial
>> credentials
>>
>> Which makes no sense. The account works with a 7.1 client but not a
>> 6.x
>> client?? And yet "admin" works, no matter what. What am I missing
>> here?
> If I had to guess, usera is enabled for OTP-only login. Is that
> correct?
>
> If so, clients require RHEL 7.1 for OTP support. Also, the error you
> are getting is the result of not enabling FAST support for OTP
> authentication (see the -T option).
>
> Nathaniel
Apparently I am not being clear. The user account can login all over the 
place with no problems -- RHEL 7.1 or 6.6.  HOWEVER, on 7.1, a login 
provides a direct tgt, but no matter what you do on any other host using 
kinit (after logging in with an SSH key perhaps or as another user) and 
even know the password, you get this error.

Again, logging in with the password, not OTP, works just fine.

Confusing,
~J