[Freeipa-users] interesting Kerberos issue
Janelle
janellenicole80 at gmail.com
Tue May 5 01:38:29 UTC 2015
On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>> Happy Star Wars Day!
>> May the Fourth be with you!
>>
>> So I have a strange Kerberos problem trying to figure out. On a
>> CLIENT, (CentOS 7.1) if I login to account "usera" they get a
>> ticket as
>> expected. However, if I login to a 6.6 client, it doesn't seem to
>> work.
>> Both were enrolled the same, obviously one is newer.
>>
>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>> as
>> root, bypassing kerberos, and then do "kinit admin" it works just
>> fine.
>> But if I do "kinit usera" I get:
>>
>> kinit: Generic preauthentication failure while getting initial
>> credentials
>>
>> Which makes no sense. The account works with a 7.1 client but not a
>> 6.x
>> client?? And yet "admin" works, no matter what. What am I missing
>> here?
> If I had to guess, usera is enabled for OTP-only login. Is that
> correct?
>
> If so, clients require RHEL 7.1 for OTP support. Also, the error you
> are getting is the result of not enabling FAST support for OTP
> authentication (see the -T option).
>
> Nathaniel
Ok, this did give me an idea (Thanks Nathaniel) -- the account was set
for BOTH "password" and OTP.
Apparently setting both does nothing. Yes a user can login with their
password-only, but trying to use kinit does not work.
I am not sure I understand where the FAST support or the -T option is to
be applied. On kinit? That does not seem correct. Perhaps I am
misunderstanding this option?
~J
More information about the Freeipa-users
mailing list