On Wed, Mar 10, 2021 at 12:05:27PM -0000, Sam Bell via FreeIPA-users wrote: > Yeah the password is right. > On a separate note, on the client machine I had login problem on both > Ubuntu(installed before) > and Fedora. So the problem could be with server. > > For pre-authentication I used following commands: > # kadmin.local > kadmin.local: modprinc +requires_preauth testuser > Principal "[email protected]" modified. > > Server: xpsserver.freeipa.lab (fedora) > freeipa-server version: 4.9.2 (4.fc32) > > client: mu3090x1.freeipa.lab > freeipa-client version: 4.9.2 (4.fc33) > > Here's the log from krb5kdc.log from the server: > w.. > Mar 10 15:47:12 xpsserver.freeipa.lab krb5kdc[1220](info): preauth (spake) > verify failure: Preauthentication failed > Mar 10 15:47:12 xpsserver.freeipa.lab krb5kdc[1220](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.0.248: > PREAUTH_FAILED: [email protected] for krbtgt/[email protected], > Preauthentication failed
Hi, it looks like the failure is related to spake pre-authentication. This would explain why it worked on older clients because they most probably do not support spake. Since you said that new users work I wonder if changing/resetting the old user's password would help as well? bye, Sumit _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
