On 2/6/2018 5:04 PM, Robbie Harwood wrote:
John Ratliff via FreeIPA-users <[email protected]>
writes:
I'm having problems with kinit and a 2FA enabled account.
When I run kinit by itself, it says 'kinit: Generic preauthentication
failure while getting initial credentials'.
I saw on the wiki where that problem is solved by doing one of two
things. You can login with the admin account (or some other non-2FA
account). When I do that, it asks for the OTP, but then I get a similar
error message:
$ klist
Ticket cache: FILE:/tmp/krb5cc_760400007
Default principal: [email protected]
Valid starting Expires Service principal
02/06/2018 15:58:04 02/07/2018 15:57:52 krbtgt/[email protected]
$ kinit -T FILE:/tmp/krb5cc_760400007 jratliff
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials
The same thing happens when I try to do the anonymous authentication.
I put the output of KRB5_TRACE here https://pastebin.com/jpPDVUXi
This happens on the CentOS 7.4 IdM server (Running 4.5 IPA) and a Debian
9 IdM client machine.
Maybe take a look at the server logs and see if there's anything there.
Thanks,
--Robbie
I don't see anything useful in the logs. If I login with my key via ssh
and then do a su - jratliff, it gets me a token. I don't know what su -
is doing that the kinit -n steps I saw isn't, but I guess this is a
workaround.
Do you have ideas of what logs specifically I should check? I posted the
output of the trace, but it didn't mean much to me.
Thanks.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
