Amos via FreeIPA-users wrote: > Oddly enough, I'm experiencing this on one of our IPA clients as well. > However, I have some questions... > > On Fri, Jan 3, 2020 at 12:25 PM Alexander Bokovoy via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > > The in-memory keytab is something SSSD copies the keys from > /etc/krb5.keytab into for own internal operations, it is OK to not being > able to access it. > > Your problem is different. 'Pre-authentication failed' is Kerberos speak > for a wrong key (or password) used by the client. This means you have > different key in the keytab (/etc/krb5.keytab) and in the KDC database. > > What you need to do: > - check which key version number is in your /etc/krb5.keytab with > klist -k -t /etc/krb5.keytab -- your output above shows that KVNO > value is '2'. > > - use the following to query for a KVNO number as seen by the KDC: > kinit admin > kvno -S host myipaserver > > If the output of 'kvno' command shows different number, you need to > synchronize the keytab and the key in the IPA KDC database. To do that, > you can use ipa-getkeytab command: > > kinit admin > ipa-getkeytab -s myipaserver -k > /path/to/krb5.keytab-on-container-volume -p host/myipaserver > > > Is this done on the client system that is reporting the error, or on the > IPA server? Also....
On the machine reporting the Pre-auth failed error. > > This will force re-generation of the host keytab for myipaserver machine > and will store new keys in the krb5.keytab file that is on the container > volume. After this SSSD should be able to use it. > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > > > The KVNO number is different on the main IPA server (ipasrv01) and on > the IPA replica (ipasrv02). Is this a problem? If so, how do I fix it? > > [root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org > <http://ipasrv01.ipa.x.org> > host/[email protected] <mailto:[email protected]>: > kvno = 2 > [root@ipasrv01 ~]# kvno -S host ipasrv02.ipa.x.org > <http://ipasrv02.ipa.x.org> > host/[email protected] <mailto:[email protected]>: > kvno = 1 This is not a problem. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
