Hi Simo,
I understand the mechanics of the error, however, when you are trying to
configure Cloudera Manager with IPA, the configuration/setup process
fails with the error (and it shows in logs) and therefore, CM does not
finish the configuration.
I was also just reading:
https://community.cloudera.com/t5/Cloudera-Manager-Installation/Add-Support-for-FreeIPA-to-CM/td-p/34582
Which has Dmitri discussing things with Cloudera. The problem seems to
be that although CM has a script for custom principal retrievals, maybe
what I am seeing here is that it is the ipa-client install that causes
the problems? Or am I missing the boat completely?
-K
On 6/2/17 7:59 AM, Simo Sorce wrote:
On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
Hi,
I have read several pages on getting IPA and Clouder Manager working
together to make nice with Kerberos, however, having an issue
following the various steps. When I run through CM set and put the
primary account in I run into the classic "Preauth required" and yet,
I can kinit the account with no issues, so I am wondering if there
are any hints on debugging this? What is typically the cuase of that
kind of error?
Kat, does something fail, or are you simply concerned with the error
showing up in the kdc logs ?
This error is 'expected' in modern kerberos implementations. The
original krb5 protocol did not use pre-authentication and that made it
subject to offline dictionary attacks.
So to "fix" this hole, pre-authentication mechanism were introduced.
The requirement to pre-authenticate is communicated to the client in
form of a "Preauth required" error. This is to preserve protocol
compatibility with previous clients and allow a client to discover what
kind of pre-authentication is allowed by the KDC (the allowed pre-auth
types list is returned together with the error).
HTH,
Simo.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
