Still no luck.

Credentials cache: API:4FE16A36-A5AB-476F-8B49-4B427E816279

  Issued                Expires               Principal
Dec 15 13:45:09 2016  Dec 16 13:45:07 2016  krbtgt/

KRB5_TRACE=/dev/stdout kinit 
2016-12-15T13:35:35 set-error: -1765328242: Reached end of credential caches
2016-12-15T13:35:35 set-error: -1765328243: Principal not found in any credential cache's password: 
2016-12-15T13:35:50 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2016-12-15T13:35:50 Adding PA mech: SRP
2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_CHALLENGE
2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_TIMESTAMP
2016-12-15T13:35:50 krb5_get_init_creds: loop 1
2016-12-15T13:35:50 KDC sent 0 patypes
2016-12-15T13:35:50 Trying to find service kdc for realm INT.DOMAIN.COM flags 0
2016-12-15T13:35:50 configuration file for realm INT.DOMAIN.COM found
2016-12-15T13:35:50 submissing new requests to new host
2016-12-15T13:35:50 connecting to host: udp 
( tid: 00000001
2016-12-15T13:35:50 writing packet: udp 
( tid: 00000001
2016-12-15T13:35:51 Configuration exists for realm INT.DOMAIN.COM, wont go to 
2016-12-15T13:35:51 out of hosts, waiting for replies
2016-12-15T13:36:01 retrying sending to: udp 
( tid: 00000001
2016-12-15T13:36:01 writing packet: udp 
( tid: 00000001
2016-12-15T13:36:12 retrying sending to: udp 
( tid: 00000001
2016-12-15T13:36:12 writing packet: udp 
( tid: 00000001
2016-12-15T13:36:23 host timed out: udp 
( tid: 00000001
2016-12-15T13:36:23 no more hosts to send/recv packets to/from trying to 
pulling more hosts
2016-12-15T13:36:23 set-error: -1765328228: unable to reach any KDC in realm 
2016-12-15T13:36:23 krb5_sendto_context INT.DOMAIN.COM done: -1765328228 hosts 
1 packets 3 wc: 33.115489 nr: 0.000804 kh: 0.000915 tid: 00000001
kinit: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.COM, 
tried 1 KDC

mac client config (OS 10.11.1):

cat /etc/krb5.conf 
    default_realm = INT.DOMAIN.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes
    renewable = true

  kdc =
  master_kdc =
  admin_server =
  default_domain =
  pkinit_anchors = FILE:/etc/ipa/ca.crt

[domain_realm] = INT.DOMAIN.COM = INT.DOMAIN.COM

On the freeipa server’s krb5kdc.log:

krb5kdc: Realm not local to KDC - while dispatching (udp)

When authenticating with a non 2FA user, works fine.

Anyone can hit me with a clue-stick?



On 2016-12-15, 11:20 AM, " on behalf of 
Alexander Bokovoy" < on behalf of> wrote:

    On to, 15 joulu 2016, Sumit Bose wrote:
    >On Thu, Dec 15, 2016 at 03:38:14PM +0000, Mark Steele wrote:
    >> Hi,
    >> Has anyone managed to make this work and if so, is there some 
documentation for doing so?
    >> I can successfully authenticate to my linux servers using 2FA, but am
    >> unable to get my Mac to be able to get a ticket with kinit.
    >> Kinit returns: “password incorrect”, and isn’t prompting for the
    >> second factor. I’ve also tried appending the second factor to the
    >> password (like when logging into the UI).
    >> Any help would be appreciated.
    >For 2FA FAST is needed
    >For MacOS I found
    >and according to this the MacOS kinit does not support FAST, i.e. using
    >an armor credential cache. But maybe there are newer or alternative
    >versions which supports it?
    Starting with Mac OS X 10.8, Heimdal does support FAST.
    kinit --fast-armor-cache /path/to/ccache
    In Mac OS X numbering scheme for Heimdal this is version 247.6 or later.
    / Alexander Bokovoy
    Manage your subscription for the Freeipa-users mailing list:
    Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to