On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out.  On a
CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
root, bypassing kerberos, and then do "kinit admin" it works just
But if I do "kinit usera" I get:

kinit: Generic preauthentication failure while getting initial

Which makes no sense. The account works with a 7.1 client but not a
client?? And yet "admin" works, no matter what. What am I missing
If I had to guess, usera is enabled for OTP-only login. Is that

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Ok, this did give me an idea (Thanks Nathaniel) -- the account was set for BOTH "password" and OTP. Apparently setting both does nothing. Yes a user can login with their password-only, but trying to use kinit does not work.

I am not sure I understand where the FAST support or the -T option is to be applied. On kinit? That does not seem correct. Perhaps I am misunderstanding this option?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to