On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
>  
> 
> I've seen this issue on the list several times, but I've not yet seen a
> solution posted., We're having this issue on one of our SLES 12 SP2 hosts
> (we have other SLES hosts are fine), were seeing this error when users try
> and login, they just keep getting the Password: prompt and are unable to log
> in with FreeIPA accounts. Local accounts are fine. Hostnames have been
> changed to protect the innocent.
> 
>  
> 
> In this hosts /var/log/sssd/ldap_child.log
> 
> <27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
> Preauthentication failed
> 
> <27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
> Preauthentication failed
> 
>  
> 
> On the FreeIPA server from /var/log/krb5kdc.log
> 
>  
> 
> 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example....@example.org for krbtgt/example....@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example....@example.org for krbtgt/example....@example.org,
> Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example....@example.org for krbtgt/example....@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example....@example.org for krbtgt/example....@example.org,
> Preauthentication failed
> 
>  
> 
> On the host in question klist gives the following (note that kinit works,
> even if ssh login does not):
> 
>  
> 
> sles01:~ # klist -kte
> 
> Keytab name: FILE:/etc/krb5.keytab
> 
> KVNO Timestamp         Principal
> 
> ---- -----------------
> --------------------------------------------------------
> 
>    1 12/01/17 04:30:40 host/sles01.example....@example.org
> (aes256-cts-hmac-sha1-96)
> 
>    1 12/01/17 04:30:40 host/sles01.example....@example.org

    ^^^

> (aes128-cts-hmac-sha1-96)
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> kinit: Preauthentication failed while getting initial credentials
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> sles01:~ # kvno host/sles01.example....@example.org
> 
> host/sles01.example....@example.org: kvno = 3

                                             ^^^

The host keys stored in /etc/krb5.keytab got out of sync, the keytab
still has KVNO 1 while the current one is already 3.

Most probably someone called ipa-getkeytab without writing the result
back to /etc/krb5.keytab. ipa-getkeytab be default will generate new
keys, you have to use the option --retrieve to get the current keys.

To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf
option on sles01.example.org to update /etc/krb5.keytab.

HTH

bye,
Sumit

> 
>  
> 
> Also, I've compared NTP and there's only ~2.5ms offset between the two
> hosts.
> 
>  
> 
> Increasing the logging level of sssd to debug_level=9 which does not
> generate more logs.
> 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to