On Fri, Dec 01, 2017 at 11:54:35AM +0000, James Harrison via FreeIPA-users wrote: > Hello,One one of our FreeIPA servers we are seeing the following messages > from journal -f > > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes > {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: > host/ipa-01.int.domain....@int.domain.com for > krbtgt/int.domain....@int.domain.com, Preauthentication failed > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11 > Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: Failed > to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. > Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9717]]][9717]: > Preauthentication failed > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes > {18 17 16 23 25 26 20 19}) 10.3.5.88: NEEDED_PREAUTH: > host/ipa-01.int.domain....@int.domain.com for > krbtgt/int.domain....@int.domain.com, Additional pre-authentication required > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): closing down fd 11 > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): preauth > (encrypted_timestamp) verify failure: Preauthentication failed > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): AS_REQ (8 etypes > {18 17 16 23 25 26 20 19}) 10.3.5.88: PREAUTH_FAILED: > host/ipa-01.int.domain....@int.domain.com for > krbtgt/int.domain....@int.domain.com, Preauthentication failed > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7055](info): closing down fd 11 > Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: Failed > to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. > Dec 01 11:50:14 ipa-01.int.domain.com [sssd[ldap_child[9721]]][9721]: > Preauthentication failed
Most probably /etc/krb5.keytab got out of sync, i.e. someone called ipa-getkeytab (or similar) without writing the result to /etc/krb5.keytab. You can check this by calling klist -k and kinit admin (or some other IPA user) kvno host/ipa-01.int.domain....@int.domain.com if the key version number (kvno) from the kvno output cannot be found in the klist output you have to write a fresh key to /etc/krb5.keytab with ipa-getkeytab. HTH bye, Sumit > > [root@pul-lv-ipa-01 ~]# ipa --version > VERSION: 4.5.0, API_VERSION: 2.228 > > I[root@pul-lv-ipa-01 log]# cat /etc/centos-release > CentOS Linux release 7.4.1708 (Core) > > Many thanks for any help, > Regards,James Harrison > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org