Still seeing: preauth (spake) verify failure: Preauthentication failed kvno ldap/ourdomain kvno = 2 kvno http/ourdomain kvno = 1
klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 4 host/[email protected] 4 host/[email protected] 5 host/[email protected] 5 host/[email protected] 6 host/[email protected] 6 host/[email protected] 7 host/[email protected] 7 host/[email protected] On Thu, Mar 11, 2021 at 3:47 PM Robert Kudyba <[email protected]> wrote: > > > Keytab successfully retrieved and stored in: /tmp/client.keytab >> > >> > This is why SSSD isn't working. SSSD uses the host keytab in >> > /etc/krb5.keytab and you invalidated it with the above command. >> > >> > >> > OK what do I need to do to fix this? I got this >> > from >> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_Fedora_18_html_FreeIPA-5FGuide_Installing-5Fthe-5FIPA-5FClient-5Fon-5FLinux.html&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=DPUtTQx5TfzHXpznmDzOwRF-DMQCNuyTEyFZjQRbf24&s=_71xAKn9TgPKxsbm1Ei0b4VaeazS0Ax__ECpurXTUd0&e= >> > (which I realize is old), >> >> Please do not use these documents. We'd remove them if it were in our >> control. >> > > Understood. > > > You can re-run your getkeytab command using /etc/krb5.keytab instead to >> sync up the keys. >> > > OK I ran: > > ipa-getkeytab -s ourdomain.edu -p host/client.ourdomain.edu -k > /etc/krb5.keytab > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > Then I scp the keytab to the client /etc directory. Now in the krb5.log I > see: > > Mar 11 15:39:29 ourdomain.edu krb5kdc[369141](info): TGS_REQ (6 etypes > {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), > camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), > aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 150.108.64.55: > LOOKING_UP_SERVER: authtime 0, etypes {rep=UNSUPPORTED:(0)} > host/client.ourdomain [email protected] for DNS/ > [email protected], Server not found in Kerberos > database > Mar 11 15:39:29 ourdomain.edu krb5kdc[369141](info): closing down fd 11 > > ssh logs: > Mar 11 15:39:27 ourdomain sshd[375517]: debug1: userauth-request for user > ouruser service ssh-connection method keyboard-interactive [preauth] > Mar 11 15:39:27 ourdomain sshd[375517]: debug1: attempt 2 failures 1 > [preauth] > Mar 11 15:39:27 ourdomain sshd[375517]: debug1: keyboard-interactive devs > [preauth] > Mar 11 15:39:27 ourdomain sshd[375517]: debug1: auth2_challenge: > user=ouruser devs= [preauth] > Mar 11 15:39:27 ourdomain sshd[375517]: debug1: kbdint_alloc: devices > 'pam' [preauth] > Mar 11 15:39:27 ourdomain sshd[375517]: debug1: auth2_challenge_start: > trying authentication method 'pam' [preauth] > Mar 11 15:39:27 ourdomain sshd[375517]: Postponed keyboard-interactive for > ouruser from x.x.x.x port 44136 ssh2 [preauth] > Mar 11 15:39:30 ourdomain sshd[375524]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=ouruser > Mar 11 15:39:30 ourdomain sshd[375524]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser > Mar 11 15:39:30 ourdomain sshd[375524]: pam_sss(sshd:auth): received for > user ouruser: 9 (Authentication service cannot retrieve authentication info) > > >> > Does this have to do with your comment above about SSSD not working? >> >> Yes. A keytab is a password and this is effectively a "bad password" >> error. > > > Do I have to restart any services? >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
