subject:"\[Freeipa\-users\] Re\: Unable to create GSSAPI\-encrypted LDAP connection"

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-04 Thread Aaron Hicks via FreeIPA-users

Hello the list,

 

It looks like sssd's horrible logging messages were to blame. It looks like
when the keytab was initially deployed the system time between the IPA
server and the host were not quite in sync and the keytab was invalidated. I
redeployed the host's keytab (which because SLES lacks the ipa-client tools,
had to be done on the IPA server and delivered via SCP) and the problem was
resolved.

 

Regards,

 

Aaron

 

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Monday, 4 December 2017 2:51 PM
To: 'Aaron Hicks via FreeIPA-users' 
Subject: Unable to create GSSAPI-encrypted LDAP connection

 

Hello the list,

 

I've seen this issue on the list several times, but I've not yet seen a
solution posted., We're having this issue on one of our SLES 12 SP2 hosts
(we have other SLES hosts are fine), were seeing this error when users try
and login, they just keep getting the Password: prompt and are unable to log
in with FreeIPA accounts. Local accounts are fine. Hostnames have been
changed to protect the innocent.

 

In this hosts /var/log/sssd/ldap_child.log

<27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
Preauthentication failed

<27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

<27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
Preauthentication failed

 

On the FreeIPA server from /var/log/krb5kdc.log

 

17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example@example.org
  for
krbtgt/example@example.org  ,
Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example@example.org
  for
krbtgt/example@example.org  ,
Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
host/sles01.example@example.org
  for
krbtgt/example@example.org  ,
Additional pre-authentication required

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
11

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed

Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
host/sles01.example@example.org
  for
krbtgt/example@example.org  ,
Preauthentication failed

 

On the host in question klist gives the following (note that kinit works,
even if ssh login does not):

 

sles01:~ # klist -kte

Keytab name: FILE:/etc/krb5.keytab

KVNO Timestamp Principal

 -


   1 12/01/17 04:30:40 host/sles01.example@example.org
  (aes256-cts-hmac-sha1-96)

   1 12/01/17 04:30:40 host/sles01.example@example.org
  (aes128-cts-hmac-sha1-96)

sles01:~ # kinit admin

Password for ad...@example.org  :

kinit: Preauthentication failed while getting initial credentials

sles01:~ # kinit admin

Password for ad...@example.org  :

sles01:~ # kvno host/sles01.example@example.org
 

host/sles01.example@example.org
 : kvno = 3

 

Also, I've compared NTP and there's only ~2.5ms offset between the two
hosts.

 

Increasing the logging level of sssd to debug_level=9 which does not
generate more logs.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-04 Thread James Harrison via FreeIPA-users

UPDATE:
The principle info wrong. I did this and the error hasnt shown up since:
[root@ipa-02 ~]# ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p 
host/ipa-02 --retrieve
Keytab successfully retrieved and stored in: /etc/krb5.keytab

Thanks for all your help.
 

On Monday, 4 December 2017, 09:53:55 GMT, Sumit Bose via FreeIPA-users 
 wrote:  
 
 On Mon, Dec 04, 2017 at 09:37:41AM +, James Harrison wrote:
>  I ran the ipa-getkeytab command you suggested below:
> This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" 
> user. I got the same result with the admin user.
> 
> 
> ~] IPA-02 #  kinit IPAUSER Password for x_ipau...@int.example.com: 
> 
> ~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p 
> IPAUSER --retrieve
> Failed to parse result: Insufficient access rights

The keytab content should be protected like a clear text password, hence
not even IPA admin users have access by default and I would recommend to
only use the --retrieve option of ipa-getkeytab if it is really needed,
i.e. that the keys really have to be used at two different places and
there is no other secure way to copy the keytab content. If you just
want to get /etc/krb5.keytab up-to-date, just do not use the --retrieve
option.

If you still want to use --retrieve, you can find the details about
setting the permissions e.g. at
https://www.freeipa.org/page/V4/Keytab_Retrieval_Management.

HTH

bye,
Sumit

> 
> Failed to get keytab
> 
> 
> Many thanks
> 
>    On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users 
> wrote:  
>  
>  On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users 
>wrote:
> > Hello the list,
> > 
> >  
> > 
> > I've seen this issue on the list several times, but I've not yet seen a
> > solution posted., We're having this issue on one of our SLES 12 SP2 hosts
> > (we have other SLES hosts are fine), were seeing this error when users try
> > and login, they just keep getting the Password: prompt and are unable to log
> > in with FreeIPA accounts. Local accounts are fine. Hostnames have been
> > changed to protect the innocent.
> > 
> >  
> > 
> > In this hosts /var/log/sssd/ldap_child.log
> > 
> > <27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
> > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> > 
> > <27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
> > Preauthentication failed
> > 
> > <27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
> > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> > 
> > <27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
> > Preauthentication failed
> > 
> >  
> > 
> > On the FreeIPA server from /var/log/krb5kdc.log
> > 
> >  
> > 
> > 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Additional pre-authentication required
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Additional pre-authentication required
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Preauthentication failed
> > 
> >  
> > 
> > On the host in question klist gives the following (note that kinit works,
> > even if ssh login does not):
> > 
> >  
> > 
> > sles01:~ # klist -kte
> > 
> > Keytab name: FILE:/etc/krb5.keytab
> > 
> > KVNO Timestamp        Principal
> > 
> >  -
> > 
> > 
> >    1 12/01/17 04:30:40 host/sles01.example@example.org
> > (aes256-cts-hmac-sha1-96)
> > 
> >    1 12/01/17 04:30:40 host/sles01.example@e

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-04 Thread Sumit Bose via FreeIPA-users

On Mon, Dec 04, 2017 at 09:37:41AM +, James Harrison wrote:
>  I ran the ipa-getkeytab command you suggested below:
> This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" 
> user. I got the same result with the admin user.
> 
> 
> ~] IPA-02 #  kinit IPAUSER Password for x_ipau...@int.example.com: 
> 
> ~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p 
> IPAUSER --retrieve
> Failed to parse result: Insufficient access rights

The keytab content should be protected like a clear text password, hence
not even IPA admin users have access by default and I would recommend to
only use the --retrieve option of ipa-getkeytab if it is really needed,
i.e. that the keys really have to be used at two different places and
there is no other secure way to copy the keytab content. If you just
want to get /etc/krb5.keytab up-to-date, just do not use the --retrieve
option.

If you still want to use --retrieve, you can find the details about
setting the permissions e.g. at
https://www.freeipa.org/page/V4/Keytab_Retrieval_Management.

HTH

bye,
Sumit

> 
> Failed to get keytab
> 
> 
> Many thanks
> 
> On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users 
>  wrote:  
>  
>  On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users 
> wrote:
> > Hello the list,
> > 
> >  
> > 
> > I've seen this issue on the list several times, but I've not yet seen a
> > solution posted., We're having this issue on one of our SLES 12 SP2 hosts
> > (we have other SLES hosts are fine), were seeing this error when users try
> > and login, they just keep getting the Password: prompt and are unable to log
> > in with FreeIPA accounts. Local accounts are fine. Hostnames have been
> > changed to protect the innocent.
> > 
> >  
> > 
> > In this hosts /var/log/sssd/ldap_child.log
> > 
> > <27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
> > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> > 
> > <27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
> > Preauthentication failed
> > 
> > <27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
> > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> > 
> > <27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
> > Preauthentication failed
> > 
> >  
> > 
> > On the FreeIPA server from /var/log/krb5kdc.log
> > 
> >  
> > 
> > 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Additional pre-authentication required
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Additional pre-authentication required
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> > 11
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> > (encrypted_timestamp) verify failure: Preauthentication failed
> > 
> > Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> > etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> > host/sles01.example@example.org for krbtgt/example@example.org,
> > Preauthentication failed
> > 
> >  
> > 
> > On the host in question klist gives the following (note that kinit works,
> > even if ssh login does not):
> > 
> >  
> > 
> > sles01:~ # klist -kte
> > 
> > Keytab name: FILE:/etc/krb5.keytab
> > 
> > KVNO Timestamp        Principal
> > 
> >  -
> > 
> > 
> >    1 12/01/17 04:30:40 host/sles01.example@example.org
> > (aes256-cts-hmac-sha1-96)
> > 
> >    1 12/01/17 04:30:40 host/sles01.example@example.org
> 
>     ^^^
> 
> > (aes128-cts-hmac-sha1-96)
> > 
> > sles01:~ # kinit admin
> > 
> > Password for ad...@example.org:
> > 
> > kinit: Preauthentication failed while getting initial credentials
> > 
> > sles01:~ # kinit admin
> > 
> > Password for ad...@example.org:
> > 
> > sles01:~ # kvno host/sles01.example@example.org
> > 
> > host/sles01

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-04 Thread James Harrison via FreeIPA-users

 I ran the ipa-getkeytab command you suggested below:
This was what I got:BTW: TheIPAUSER is an admin user, but not the "admin" user. 
I got the same result with the admin user.


~] IPA-02 #  kinit IPAUSER Password for x_ipau...@int.example.com: 

~] IPA-02 # ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa-01 -p IPAUSER 
--retrieve
Failed to parse result: Insufficient access rights

Failed to get keytab


Many thanks

On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users 
 wrote:  
 
 On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
>  
> 
> I've seen this issue on the list several times, but I've not yet seen a
> solution posted., We're having this issue on one of our SLES 12 SP2 hosts
> (we have other SLES hosts are fine), were seeing this error when users try
> and login, they just keep getting the Password: prompt and are unable to log
> in with FreeIPA accounts. Local accounts are fine. Hostnames have been
> changed to protect the innocent.
> 
>  
> 
> In this hosts /var/log/sssd/ldap_child.log
> 
> <27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
> Preauthentication failed
> 
> <27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
> Preauthentication failed
> 
>  
> 
> On the FreeIPA server from /var/log/krb5kdc.log
> 
>  
> 
> 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Preauthentication failed
> 
>  
> 
> On the host in question klist gives the following (note that kinit works,
> even if ssh login does not):
> 
>  
> 
> sles01:~ # klist -kte
> 
> Keytab name: FILE:/etc/krb5.keytab
> 
> KVNO Timestamp        Principal
> 
>  -
> 
> 
>    1 12/01/17 04:30:40 host/sles01.example@example.org
> (aes256-cts-hmac-sha1-96)
> 
>    1 12/01/17 04:30:40 host/sles01.example@example.org

    ^^^

> (aes128-cts-hmac-sha1-96)
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> kinit: Preauthentication failed while getting initial credentials
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> sles01:~ # kvno host/sles01.example@example.org
> 
> host/sles01.example@example.org: kvno = 3

                                            ^^^

The host keys stored in /etc/krb5.keytab got out of sync, the keytab
still has KVNO 1 while the current one is already 3.

Most probably someone called ipa-getkeytab without writing the result
back to /etc/krb5.keytab. ipa-getkeytab be default will generate new
keys, you have to use the option --retrieve to get the current keys.

To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf
option on sles01.example.org to update /etc/krb5.keytab.

HTH

bye,
Sumit

> 
>  
> 
> Also, I've compared NTP and there's only ~2.5ms offset between the two
> hosts.
> 
>  
> 
> Increasing the logging level of sssd to debug_level=9 which does not
> generate more logs.
> 

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-03 Thread Sumit Bose via FreeIPA-users

On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
>  
> 
> I've seen this issue on the list several times, but I've not yet seen a
> solution posted., We're having this issue on one of our SLES 12 SP2 hosts
> (we have other SLES hosts are fine), were seeing this error when users try
> and login, they just keep getting the Password: prompt and are unable to log
> in with FreeIPA accounts. Local accounts are fine. Hostnames have been
> changed to protect the innocent.
> 
>  
> 
> In this hosts /var/log/sssd/ldap_child.log
> 
> <27>1 2017-12-04T01:33:01.641547+00:00 sles01  sssd[ldap_child[17456 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.641772+00:00 sles01  sssd[ldap_child[17456 - -
> Preauthentication failed
> 
> <27>1 2017-12-04T01:33:01.725694+00:00 sles01  sssd[ldap_child[17457 - -
> Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
> Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
> 
> <27>1 2017-12-04T01:33:01.725987+00:00 sles01  sssd[ldap_child[17457 - -
> Preauthentication failed
> 
>  
> 
> On the FreeIPA server from /var/log/krb5kdc.log
> 
>  
> 
> 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: NEEDED_PREAUTH:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Additional pre-authentication required
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): closing down fd
> 11
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed
> 
> Dec 04 01:31:42 ipaserver01.example.org krb5kdc[1089](info): AS_REQ (6
> etypes {18 17 16 23 25 26}) 192.168.131.1: PREAUTH_FAILED:
> host/sles01.example@example.org for krbtgt/example@example.org,
> Preauthentication failed
> 
>  
> 
> On the host in question klist gives the following (note that kinit works,
> even if ssh login does not):
> 
>  
> 
> sles01:~ # klist -kte
> 
> Keytab name: FILE:/etc/krb5.keytab
> 
> KVNO Timestamp Principal
> 
>  -
> 
> 
>1 12/01/17 04:30:40 host/sles01.example@example.org
> (aes256-cts-hmac-sha1-96)
> 
>1 12/01/17 04:30:40 host/sles01.example@example.org

^^^

> (aes128-cts-hmac-sha1-96)
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> kinit: Preauthentication failed while getting initial credentials
> 
> sles01:~ # kinit admin
> 
> Password for ad...@example.org:
> 
> sles01:~ # kvno host/sles01.example@example.org
> 
> host/sles01.example@example.org: kvno = 3

 ^^^

The host keys stored in /etc/krb5.keytab got out of sync, the keytab
still has KVNO 1 while the current one is already 3.

Most probably someone called ipa-getkeytab without writing the result
back to /etc/krb5.keytab. ipa-getkeytab be default will generate new
keys, you have to use the option --retrieve to get the current keys.

To fix this call ipa-getkeytab again with the --keytab=/etc/krb5.conf
option on sles01.example.org to update /etc/krb5.keytab.

HTH

bye,
Sumit

> 
>  
> 
> Also, I've compared NTP and there's only ~2.5ms offset between the two
> hosts.
> 
>  
> 
> Increasing the logging level of sssd to debug_level=9 which does not
> generate more logs.
> 

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

5 matches

Site Navigation

Mail list logo

Footer information