Jeremy Utley writes:

> New FreeIPA deployment, and i have one server that is not allowing
> Kerberos to handle authentication, but instead is prompting for
> password with a valid kerberos ticket.  All other machines are working
> normally.  I've double-checked the /etc/ssh/sshd_config file,
> identical between the one not working, and the one that is.  Done the
> same for SSSD and IPA configuration info.  Entering password on the
> machine does work, and does result in a valid ticket being issued.
> Below is some debug info, generated with "KRB5_TRACE=/dev/stdout ssh
> -vvv {hostname}", and truncated down to only parts that differ:

Well, the machine krb5 configurations don't match.  Your "failing" is
using a FILE ccache, while the "working" is using KEYRING.  (Side note:
KEYRING is to be preferred wherever possible.)

Check that the versions of krb5 components match, and that they're
configured the same way (they're not, but this may not be the problem).

The "failing" machine isn't indicating what went wrong; check ssh error
logs on the server maybe?

Also: Please provide the output of `klist -e` on both the working and
failing machines *after* you've tried to ssh in.


Attachment: signature.asc
Description: PGP signature

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to