So, I'm /this/ close to getting a pair of servers in Alaska (on very slow links) setup for IPA authentication.  I've followed the documentation here:

since these two servers are CentOS 6.9.  I'm almost certain I've got everything setup correctly, but I'm still unable to login as an IPA user either with SSH or with su - <username>. I get '<username> does not exist'. However, I /can/ 'kinit admin' /and/ 'kinit mark.haney' successfully:

[root@rad8 nnsrad]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:

Valid starting     Expires            Service principal
10/17/17 15:05:47  10/18/17 15:05:24 krbtgt/

Note that my user account does not exist on the local machine and never has.  And the admin account, while one exists locally, has a different password than the IPA admin.

Rob Crittenden had me check the keytab KVNO and it matches with the KVNO of the IPA server.  The one issue I can definitely say I have is this:

kinit -kt /etc/krb5.keytab
kinit: Generic preauthentication failure while getting initial credentials

Rob said the keytab might be out of sync, but unless I'm following his instructions incorrectly, they do match.  Anyone else have ideas on how to get this working?

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to