[Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

Robert Kudyba rkudyba at fordham.edu
Mon Nov 28 16:38:07 UTC 2016 

There seems to be a problem either with Kerberos and/or using a self signed certificate vs. Let’s Encrypt. I tried to run the set up script from https://github.com/freeipa/freeipa-letsencrypt <https://github.com/freeipa/freeipa-letsencrypt> and below are some errors and logs.  

Within the /etc/httpd/conf.d/ipa.conf file I commented out these directives as I had some Apache redirects that were breaking:

#WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 display-name=%{GROUP} socket-timeout=2147483647
#WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
#WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
#WSGIScriptReloading Off

./setup-le.sh 
Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin
kinit: Generic preauthentication failure while getting initial credentials

journalctl -u named-pkcs11
-- No entries —

journalctl -u named
-- No entries —

 file /var/named/data/named.run
/var/named/data/named.run: cannot open `/var/named/data/named.run' (No such file or directory)

ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:0))

ipa help krbtpolicy
ipa: ERROR: did not receive Kerberos credentials

In /var/log/krb5kdc.log:

Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin at for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required
Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 26}) ip: NEEDED_PREAUTH: admin at for krbtgt/ourdomain@ ourdomain, Additional pre-authentication required
Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161128/3848a580/attachment.htm>

More information about the Freeipa-users mailing list