[Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

Tue Nov 29 09:50:10 UTC 2016

On 11/28/2016 05:38 PM, Robert Kudyba wrote:
> There seems to be a problem either with Kerberos and/or using a self 
> signed certificate vs. Let’s Encrypt. I tried to run the set up script 
> from https://github.com/freeipa/freeipa-letsencrypt and below are some 
> errors and logs.
>
> Within the /etc/httpd/conf.d/ipa.conffile I commented out 
> these directives as I had some Apache redirects that were breaking:
>
> #WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
>  display-name=%{GROUP} socket-timeout=2147483647
> #WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa 
> application-group=ipa
> #WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
> #WSGIScriptReloading Off
>
> ./setup-le.sh
> Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
> Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
> Dependencies resolved.
> Nothing to do.
> Complete!
> Installing CA certificate, please wait
> Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's 
> certificate issuer has been marked as not trusted by the user. (visit 
> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
> The ipa-cacert-manage command failed.
>
> ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> ipa_memcached Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> kinit admin
> kinit: Generic preauthentication failure while getting initial credentials
>
> journalctl -u named-pkcs11
> -- No entries —
>
> journalctl -u named
> -- No entries —
>
>  file /var/named/data/named.run
> /var/named/data/named.run: cannot open `/var/named/data/named.run' (No 
> such file or directory)
>
> ldapsearch -Y GSSAPI 
> '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (No Kerberos 
> credentials available (default cache: KEYRING:persistent:0))
>
> ipa help krbtpolicy
> ipa: ERROR: did not receive Kerberos credentials
>
> In /var/log/krb5kdc.log:
>
> Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
> Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23 25 
> 26}) ip: NEEDED_PREAUTH: admin at for krbtgt/ourdomain@ ourdomain, 
> Additional pre-authentication required
> Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
> Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23 25 
> 26}) ip: NEEDED_PREAUTH: admin at for krbtgt/ourdomain@ ourdomain, 
> Additional pre-authentication required
> Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11
>
>
>
Hi,

you're hitting an issue with Let's Encrypt setup.

https://github.com/freeipa/freeipa-letsencrypt/issues/1

unfortunately, I'm not aware of any workaround or solution as of now.

-- 
Tomas Krizek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161129/a14e4d71/attachment.htm>