Oddly enough, I'm experiencing this on one of our IPA clients as well. However, I have some questions...
On Fri, Jan 3, 2020 at 12:25 PM Alexander Bokovoy via FreeIPA-users < [email protected]> wrote: > > The in-memory keytab is something SSSD copies the keys from > /etc/krb5.keytab into for own internal operations, it is OK to not being > able to access it. > > Your problem is different. 'Pre-authentication failed' is Kerberos speak > for a wrong key (or password) used by the client. This means you have > different key in the keytab (/etc/krb5.keytab) and in the KDC database. > > What you need to do: > - check which key version number is in your /etc/krb5.keytab with > klist -k -t /etc/krb5.keytab -- your output above shows that KVNO > value is '2'. > > - use the following to query for a KVNO number as seen by the KDC: > kinit admin > kvno -S host myipaserver > > If the output of 'kvno' command shows different number, you need to > synchronize the keytab and the key in the IPA KDC database. To do that, > you can use ipa-getkeytab command: > > kinit admin > ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume > -p host/myipaserver > > Is this done on the client system that is reporting the error, or on the IPA server? Also.... This will force re-generation of the host keytab for myipaserver machine > and will store new keys in the krb5.keytab file that is on the container > volume. After this SSSD should be able to use it. > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > The KVNO number is different on the main IPA server (ipasrv01) and on the IPA replica (ipasrv02). Is this a problem? If so, how do I fix it? [root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org host/[email protected]: kvno = 2 [root@ipasrv01 ~]# kvno -S host ipasrv02.ipa.x.org host/[email protected]: kvno = 1 Amos
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
