So, I'm /this/ close to getting a pair of servers in Alaska (on very slow links) setup for IPA authentication.  I've followed the documentation here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html

since these two servers are CentOS 6.9.  I'm almost certain I've got everything setup correctly, but I'm still unable to login as an IPA user either with SSH or with su - <username>. I get '<username> does not exist'. However, I /can/ 'kinit admin' /and/ 'kinit mark.haney' successfully:

[root@rad8 nnsrad]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark.ha...@neonova.net

Valid starting     Expires            Service principal
10/17/17 15:05:47  10/18/17 15:05:24 krbtgt/neonova....@neonova.net

Note that my user account does not exist on the local machine and never has.  And the admin account, while one exists locally, has a different password than the IPA admin.

Rob Crittenden had me check the keytab KVNO and it matches with the KVNO of the IPA server.  The one issue I can definitely say I have is this:

kinit -kt /etc/krb5.keytab
kinit: Generic preauthentication failure while getting initial credentials

Rob said the keytab might be out of sync, but unless I'm following his instructions incorrectly, they do match.  Anyone else have ideas on how to get this working?

--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to