On Fri, Dec 01, 2017 at 11:54:35AM +0000, James Harrison via FreeIPA-users
wrote:
> Hello,One one of our FreeIPA servers we are seeing the following messages
> from journal -f
>
> Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes
> {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED:
> host/ipa-01.int.domain....@int.domain.com for
> krbtgt/int.domain....@int.domain.com, Preauthentication failed
> Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11
> Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: Failed
> to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]:
> Preauthentication failed
> Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes
> {18 17 16 23 25 26 20 19}) 10.3.5.88: NEEDED_PREAUTH:
> host/ipa-01.int.domain....@int.domain.com for
> krbtgt/int.domain....@int.domain.com, Additional pre-authentication required
> Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11
> Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): AS_REQ (8 etypes
> {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED:
> host/ipa-01.int.domain....@int.domain.com for
> krbtgt/int.domain....@int.domain.com, Preauthentication failed
> Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): closing down fd 11
> Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: Failed
> to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]:
> Preauthentication failed
Most probably /etc/krb5.keytab got out of sync, i.e. someone called
ipa-getkeytab (or similar) without writing the result to
/etc/krb5.keytab. You can check this by calling
klist -k
and
kinit admin (or some other IPA user)
kvno host/ipa-01.int.domain....@int.domain.com
if the key version number (kvno) from the kvno output cannot be found in
the klist output you have to write a fresh key to /etc/krb5.keytab with
ipa-getkeytab.
HTH
bye,
Sumit
>
> [root@pul-lv-ipa-01 ~]# ipa --version
> VERSION: 4.5.0, API_VERSION: 2.228
>
> I[root@pul-lv-ipa-01 log]# cat /etc/centos-release
> CentOS Linux release 7.4.1708 (Core)
>
> Many thanks for any help,
> Regards,James Harrison
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
