[Freeipa-users] interesting Kerberos issue
Dmitri Pal
dpal at redhat.com
Tue May 5 01:24:31 UTC 2015
On 05/04/2015 09:22 PM, Janelle wrote:
> On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>>> Happy Star Wars Day!
>>> May the Fourth be with you!
>>>
>>> So I have a strange Kerberos problem trying to figure out. On a
>>> CLIENT, (CentOS 7.1) if I login to account "usera" they get a
>>> ticket as
>>> expected. However, if I login to a 6.6 client, it doesn't seem to
>>> work.
>>> Both were enrolled the same, obviously one is newer.
>>>
>>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>>> as
>>> root, bypassing kerberos, and then do "kinit admin" it works just
>>> fine.
>>> But if I do "kinit usera" I get:
>>>
>>> kinit: Generic preauthentication failure while getting initial
>>> credentials
>>>
>>> Which makes no sense. The account works with a 7.1 client but not a
>>> 6.x
>>> client?? And yet "admin" works, no matter what. What am I missing
>>> here?
>> If I had to guess, usera is enabled for OTP-only login. Is that
>> correct?
>>
>> If so, clients require RHEL 7.1 for OTP support. Also, the error you
>> are getting is the result of not enabling FAST support for OTP
>> authentication (see the -T option).
>>
>> Nathaniel
> Apparently I am not being clear. The user account can login all over
> the place with no problems -- RHEL 7.1 or 6.6. HOWEVER, on 7.1, a
> login provides a direct tgt, but no matter what you do on any other
> host using kinit (after logging in with an SSH key perhaps or as
> another user) and even know the password, you get this error.
>
> Again, logging in with the password, not OTP, works just fine.
>
> Confusing,
> ~J
>
Do you get any SELinux AVCs?
May be it is an issue of the ticket cache permissions/labels?
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list