[Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials
Tomas Krizek
tkrizek at redhat.com
Tue Nov 29 12:41:33 UTC 2016
On 11/29/2016 10:50 AM, Tomas Krizek wrote:
> On 11/28/2016 05:38 PM, Robert Kudyba wrote:
>> There seems to be a problem either with Kerberos and/or using a self
>> signed certificate vs. Let’s Encrypt. I tried to run the set up
>> script from https://github.com/freeipa/freeipa-letsencrypt and below
>> are some errors and logs.
>>
>> Within the /etc/httpd/conf.d/ipa.conffile I commented out
>> these directives as I had some Apache redirects that were breaking:
>>
>> #WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
>> display-name=%{GROUP} socket-timeout=2147483647
>> #WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa
>> application-group=ipa
>> #WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
>> #WSGIScriptReloading Off
>>
>> ./setup-le.sh
>> Last metadata expiration check: 0:24:16 ago on Mon Nov 28 10:40:45 2016.
>> Package certbot-0.9.3-1.fc25.noarch is already installed, skipping.
>> Dependencies resolved.
>> Nothing to do.
>> Complete!
>> Installing CA certificate, please wait
>> Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
>> certificate issuer has been marked as not trusted by the user. (visit
>> http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
>> The ipa-cacert-manage command failed.
>>
>> ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> ipa_memcached Service: RUNNING
>> ipa-custodia Service: RUNNING
>> ntpd Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> kinit admin
>> kinit: Generic preauthentication failure while getting initial
>> credentials
>>
>> journalctl -u named-pkcs11
>> -- No entries —
>>
>> journalctl -u named
>> -- No entries —
>>
>> file /var/named/data/named.run
>> /var/named/data/named.run: cannot open `/var/named/data/named.run'
>> (No such file or directory)
>>
>> ldapsearch -Y GSSAPI
>> '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
>> GSS failure. Minor code may provide more information (No Kerberos
>> credentials available (default cache: KEYRING:persistent:0))
>>
>> ipa help krbtpolicy
>> ipa: ERROR: did not receive Kerberos credentials
>>
>> In /var/log/krb5kdc.log:
>>
>> Nov 28 05:19:49 krb5kdc[19575](info): closing down fd 11
>> Nov 28 11:04:40 krb5kdc[19575](info): AS_REQ (6 etypes {18 17 16 23
>> 25 26}) ip: NEEDED_PREAUTH: admin at for krbtgt/ourdomain@ ourdomain,
>> Additional pre-authentication required
>> Nov 28 11:04:40 krb5kdc[19575](info): closing down fd 11
>> Nov 28 11:15:35 krb5kdc[19573](info): AS_REQ (6 etypes {18 17 16 23
>> 25 26}) ip: NEEDED_PREAUTH: admin at for krbtgt/ourdomain@ ourdomain,
>> Additional pre-authentication required
>> Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11
>>
>>
>>
> Hi,
>
> you're hitting an issue with Let's Encrypt setup.
>
> https://github.com/freeipa/freeipa-letsencrypt/issues/1
>
> unfortunately, I'm not aware of any workaround or solution as of now.
> --
> Tomas Krizek
>
>
The issue should be fixed now. Please try to setup Let's Encrypt again.
In case it does not work, you might need to reinstall IPA before setting
up Let's Encrypt.
--
Tomas Krizek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161129/3b993243/attachment.htm>
More information about the Freeipa-users
mailing list