Hi all,
I have a FreeIPA installation with three servers on CentOS Stream 9. Recently,
I upgraded one server from FreeIPA 4.10.0 to 4.10.1. After the upgrade, kinit
<user> fails in the new server for all users, with the only exception of the
admin user. The following happens:
1) In the command shell, I type "kinit studente" (or any other user but admin)
2) I enter the correct password
3) The result is "kinit: Generic error (see e-text) while getting initial
credentials"
Kerberos authentication still works correctly on the servers which are still on
4.10.0. LDAP authentication works correctly everywhere.
If I check the /var/log/krb5kdc.log, I notice the following:
Mar 14 13:35:13 ipa1.labeconomia.unich.it krb5kdc2868: AS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 10.1.68.199:
HANDLE_AUTHDATA: [email protected] for
krbtgt/[email protected], No such file or directory
So the problem seems this "No such file or directory" during the
HANDLE_AUTHDATA phase, but I have no idea what file it is looking for. This
error only appears if I type the correct password. In case of wrong password, I
get a standard "Preauthentication failed" error.
Note also that "admin" is the only user with a SID (attribute
"ipaNTSecurityIdentifier" in LDAP), which is required for generating Kerberos
tickets with PACs. Is it possible the new FreeIPA insists in generating PACs?
In case, is it possible to disable this behavior ?
Thanks for any help,
--gianluca
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
