[Freeipa-users] interesting Kerberos issue

[Janelle]

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>> Happy Star Wars Day!
>> May the Fourth be with you!
>>
>> So I have a strange Kerberos problem trying to figure out.  On a
>> CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
>> ticket as
>> expected.  However, if I login to a 6.6 client, it doesn't seem to
>> work.
>> Both were enrolled the same, obviously one is newer.
>>
>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>> as
>> root, bypassing kerberos, and then do "kinit admin" it works just
>> fine.
>> But if I do "kinit usera" I get:
>>
>> kinit: Generic preauthentication failure while getting initial
>> credentials
>>
>> Which makes no sense. The account works with a 7.1 client but not a
>> 6.x
>> client?? And yet "admin" works, no matter what. What am I missing
>> here?
> If I had to guess, usera is enabled for OTP-only login. Is that
> correct?
>
> If so, clients require RHEL 7.1 for OTP support. Also, the error you
> are getting is the result of not enabling FAST support for OTP
> authentication (see the -T option).
>
> Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the account was set 
for BOTH "password" and OTP.
Apparently setting both does nothing. Yes a user can login with their 
password-only, but trying to use kinit does not work.

I am not sure I understand where the FAST support or the -T option is to 
be applied. On kinit? That does not seem correct. Perhaps I am 
misunderstanding this option?

~J