[Freeipa-users] Unable to create GSSAPI-encrypted LDAP connection

Sun, 03 Dec 2017 17:55:14 -0800 

Hello the list,

 

I've seen this issue on the list several times, but I've not yet seen a
solution posted., We're having this issue on one of our SLES 12 SP2 hosts
(we have other SLES hosts are fine), were seeing this error when users try
and login, they just keep getting the Password: prompt and are unable to log
in with FreeIPA accounts. Local accounts are fine. Hostnames have been
changed to protect the innocent.

 

In this hosts /var/log/sssd/ldap_child.log

<27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
Preauthentication failed

<27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
Preauthentication failed

 

On the FreeIPA server from /var/log/krb5kdc.log

 

17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example....@example.org for krbtgt/example....@example.org,
Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example....@example.org for krbtgt/example....@example.org,
Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example....@example.org for krbtgt/example....@example.org,
Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example....@example.org for krbtgt/example....@example.org,
Preauthentication failed

 

On the host in question klist gives the following (note that kinit works,
even if ssh login does not):

 

sles01:~ # klist -kte

Keytab name: FILE:/etc/krb5.keytab

KVNO Timestamp         Principal

---- -----------------
--------------------------------------------------------

   1 12/01/17 04:30:40 host/sles01.example....@example.org
(aes256-cts-hmac-sha1-96)

   1 12/01/17 04:30:40 host/sles01.example....@example.org
(aes128-cts-hmac-sha1-96)

sles01:~ # kinit admin

Password for ad...@example.org:

kinit: Preauthentication failed while getting initial credentials

sles01:~ # kinit admin

Password for ad...@example.org:

sles01:~ # kvno host/sles01.example....@example.org

host/sles01.example....@example.org: kvno = 3

 

Also, I've compared NTP and there's only ~2.5ms offset between the two
hosts.

 

Increasing the logging level of sssd to debug_level=9 which does not
generate more logs.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to