On Fri, 2017-06-02 at 10:10 -0500, Kat wrote:
> Hi Simo,
> I understand the mechanics of the error, however, when you are trying
> to configure Cloudera Manager with IPA, the configuration/setup
> process fails with the error (and it shows in logs) and therefore, CM
> does not finish the configuration.
I am not familiar with clouders, if it depends on the kadmin interface,
then it will not work as in FreeIPA thatintrerface is read-only.
If the only issue is using a keytab where they use some old kerberos
component that does not handle preauthenticated encryption, then you
can go into freeipa and lift the requirement to perform
preauthentication for that specific principal.
ipa service-mod my/principal@REALM --requires-pre-auth=false
> I was also just reading:
> Which has Dmitri discussing things with Cloudera. The problem seems
> to be that although CM has a script for custom principal retrievals,
> maybe what I am seeing here is that it is the ipa-client install
> that causes the problems? Or am I missing the boat completely?
> On 6/2/17 7:59 AM, Simo Sorce wrote:
> > On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
> > > Hi,
> > >
> > > I have read several pages on getting IPA and Clouder Manager
> > > working
> > > together to make nice with Kerberos, however, having an issue
> > > following the various steps. When I run through CM set and put
> > > the
> > > primary account in I run into the classic "Preauth required" and
> > > yet,
> > > I can kinit the account with no issues, so I am wondering if
> > > there
> > > are any hints on debugging this? What is typically the cuase of
> > > that
> > > kind of error?
> > Kat, does something fail, or are you simply concerned with the
> > error
> > showing up in the kdc logs ?
> > This error is 'expected' in modern kerberos implementations. The
> > original krb5 protocol did not use pre-authentication and that made
> > it
> > subject to offline dictionary attacks.
> > So to "fix" this hole, pre-authentication mechanism were
> > introduced.
> > The requirement to pre-authenticate is communicated to the client
> > in
> > form of a "Preauth required" error. This is to preserve protocol
> > compatibility with previous clients and allow a client to discover
> > what
> > kind of pre-authentication is allowed by the KDC (the allowed pre-
> > auth
> > types list is returned together with the error).
> > HTH,
> > Simo.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org