Hello the list,
I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt and are unable to log in with FreeIPA accounts. Local accounts are fine. Hostnames have been changed to protect the innocent. In this hosts /var/log/sssd/ldap_child.log <27>1 2017-12-04T01:33:01.641547+00:00 sles01 sssd[ldap_child[17456 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. <27>1 2017-12-04T01:33:01.641772+00:00 sles01 sssd[ldap_child[17456 - - Preauthentication failed <27>1 2017-12-04T01:33:01.725694+00:00 sles01 sssd[ldap_child[17457 - - Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. <27>1 2017-12-04T01:33:01.725987+00:00 sles01 sssd[ldap_child[17457 - - Preauthentication failed On the FreeIPA server from /var/log/krb5kdc.log 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example....@example.org for krbtgt/example....@example.org, Additional pre-authentication required Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example....@example.org for krbtgt/example....@example.org, Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH: host/sles01.example....@example.org for krbtgt/example....@example.org, Additional pre-authentication required Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd 11 Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED: host/sles01.example....@example.org for krbtgt/example....@example.org, Preauthentication failed On the host in question klist gives the following (note that kinit works, even if ssh login does not): sles01:~ # klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 12/01/17 04:30:40 host/sles01.example....@example.org (aes256-cts-hmac-sha1-96) 1 12/01/17 04:30:40 host/sles01.example....@example.org (aes128-cts-hmac-sha1-96) sles01:~ # kinit admin Password for ad...@example.org: kinit: Preauthentication failed while getting initial credentials sles01:~ # kinit admin Password for ad...@example.org: sles01:~ # kvno host/sles01.example....@example.org host/sles01.example....@example.org: kvno = 3 Also, I've compared NTP and there's only ~2.5ms offset between the two hosts. Increasing the logging level of sssd to debug_level=9 which does not generate more logs.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org