On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
> Hi,
> I have read several pages on getting IPA and Clouder Manager working 
> together to make nice with Kerberos, however, having an issue
> following the various steps. When I run through CM set and put the
> primary account in I run into the classic "Preauth required" and yet,
> I can kinit the account with no issues, so I am wondering if there
> are any hints on debugging this? What is typically the cuase of that
> kind of error?

Kat, does something fail, or are you simply concerned with the error
showing up in the kdc logs ?

This error is 'expected' in modern kerberos implementations. The
original krb5 protocol did not use pre-authentication and that made it
subject to offline dictionary attacks.
So to "fix" this hole, pre-authentication mechanism were introduced. 

The requirement to pre-authenticate is communicated to the client in
form of a "Preauth required" error. This is to preserve protocol
compatibility with previous clients and allow a client to discover what
kind of pre-authentication is allowed by the KDC (the allowed pre-auth
types list is returned together with the error).

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to