You will find, if you check in the ns-slapd "errors" log that this server may no longer be handling replication correctly.

Look in /var/log/dirsrv/slapd-INSTANCE..../errors

Look for errors where replication is not starting correctly because of credential problems. You may have to re-init this replica. The reason "admin" is locked out is that something gets screwed up with the keytab file that was originally installed (I have not found the cause yet, only experienced the exact same thing)

Once the keytab file is messed up, others servers can't authenticate and therefore the ADMIN account gets locked out. If you restart the server, it will clear for a little while, but go rgiht back to being locked out.

Solution - delete the replica and recreate.

~J

On 9/3/15 2:08 AM, Torsten Harenberg wrote:
Dear all,

I cannot get an "admin" kerberos token anymore on our main IPA server:

[root@ipa log]# kinit admin
kinit: Clients credentials have been revoked while getting initial
credentials

Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT:
ad...@pleiades.uni-wuppertal.de for
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de, Clients
credentials have been revoked

also login via HTTP is not possible anymore:

Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: NEEDED_PREAUTH:
HTTP/ipa.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de for
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de, Additional
pre-authentication required
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
closing down fd 11
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: ISSUE: authtime
1441271092, etypes {rep=18 tkt=18 ses=18},
HTTP/ipa.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de for
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
closing down fd 11
Sep 03 11:04:52 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) 132.195.124.12: LOCKED_OUT:
ad...@pleiades.uni-wuppertal.de for
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de, Clients
credentials have been revoked

while the same works on the secondary server.

I read

http://web.mit.edu/kerberos/krb5-devel/doc/admin/lockout.html

but this did not give me a clue how to get out of this.

I am pretty sure that I never entered a wrong password, but of course
someone could have tried to log in on the Web interface.

Any idea how this can be resolved?

Kind regards

   Torsten


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to