On 5/4/15 1:02 PM, Simo Sorce wrote:
None of the above -- All the servers are replicated. The user account (a
test account) has not changed PW in weeks and works everywhere else. I
nee to increase some logging. I guess the strange part is as mentioned
-- it works if you login directly to the 7.1 client, no matter which
server it is pointed at.
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
Happy Star Wars Day!
May the Fourth be with you!
So I have a strange Kerberos problem trying to figure out. On a
CLIENT, (CentOS 7.1) if I login to account "usera" they get a ticket as
expected. However, if I login to a 6.6 client, it doesn't seem to work.
Both were enrolled the same, obviously one is newer.
Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login as
root, bypassing kerberos, and then do "kinit admin" it works just fine.
But if I do "kinit usera" I get:
kinit: Generic preauthentication failure while getting initial credentials
Which makes no sense. The account works with a 7.1 client but not a 6.x
client?? And yet "admin" works, no matter what. What am I missing here?
Have you recently changed the user password ?
If so this symptom may indicate you are having replication issues
between your servers, and one of the client is hitting the server that
didn't get the keys replicated to it.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project