On Tue, Jun 02, 2015 at 10:39:31AM +0200, Christopher Lamb wrote: > Hi Jakub > > Yes root login works, that's how I've been getting into the box. > > Surprisingly, kinit with my user seems to work on that box. After entering > my password when prompted, it returns to the commandline without error. > > However if I try kinit with another FreeIPA user, then instead of prompting > for a password, it gives "Generic preauthentication failure while getting > initial credentials" error. > > Having set debug_level=10, when I try and ssh in with my FreeIPA user, I > find errors like > > "Retrieving host .... with result: .. Matching credential not found" > > "Received error from KDC ... Additional pre-authentication required" > > "Received error from KDC... Decrypt integrity check failed" > > "Received error code 1432158219"
Replied more in-depth off-list because the logs came in a private mail but for anyone having similar symptoms -- the Kerberos tracing info includes the IP address of the KDC we're trying to talk to. It's worth checking if it's the server that knows the user principal etc.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project