I don't see anything useful in the logs. If I login with my key via
ssh and then do a su - jratliff, it gets me a token. I don't know what
su - is doing that the kinit -n steps I saw isn't, but I guess this is
a workaround.
su - as non-root would run PAM stack for you through pam_sss and thus
SSSD would do a dance, using host principal for a FAST channel and then
your principal to obtain actual ticket using your creds.
Do you have ideas of what logs specifically I should check? I posted
the output of the trace, but it didn't mean much to me.
The trace you published is client-side. Robbie asked for the server
logs. Can you check /var/log/krb5kdc.log on the server during the time
you did that request from the client? It would show which requests this
particular client did send.
Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional
pre-authentication required
Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): closing down
fd 11
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): preauth
(otp) verify failure: Generic preauthentication failure
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: PREAUTH_FAILED:
[email protected] for
krbtgt/[email protected], Preauthentication failed
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): closing down
fd 11
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
