On 05/04/2015 09:22 PM, Janelle wrote:
On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
Apparently I am not being clear. The user account can login all over
the place with no problems -- RHEL 7.1 or 6.6. HOWEVER, on 7.1, a
login provides a direct tgt, but no matter what you do on any other
host using kinit (after logging in with an SSH key perhaps or as
another user) and even know the password, you get this error.
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
Happy Star Wars Day!
May the Fourth be with you!
So I have a strange Kerberos problem trying to figure out. On a
CLIENT, (CentOS 7.1) if I login to account "usera" they get a
expected. However, if I login to a 6.6 client, it doesn't seem to
Both were enrolled the same, obviously one is newer.
Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
root, bypassing kerberos, and then do "kinit admin" it works just
But if I do "kinit usera" I get:
kinit: Generic preauthentication failure while getting initial
Which makes no sense. The account works with a 7.1 client but not a
client?? And yet "admin" works, no matter what. What am I missing
If I had to guess, usera is enabled for OTP-only login. Is that
If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).
Again, logging in with the password, not OTP, works just fine.
Do you get any SELinux AVCs?
May be it is an issue of the ticket cache permissions/labels?
Director of Engineering for IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project