[Freeipa-users] interesting Kerberos issue
Janelle
janellenicole80 at gmail.com
Mon May 4 20:12:59 UTC 2015
On 5/4/15 1:02 PM, Simo Sorce wrote:
> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>> Happy Star Wars Day!
>> May the Fourth be with you!
>>
>> So I have a strange Kerberos problem trying to figure out. On a
>> CLIENT, (CentOS 7.1) if I login to account "usera" they get a ticket as
>> expected. However, if I login to a 6.6 client, it doesn't seem to work.
>> Both were enrolled the same, obviously one is newer.
>>
>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login as
>> root, bypassing kerberos, and then do "kinit admin" it works just fine.
>> But if I do "kinit usera" I get:
>>
>> kinit: Generic preauthentication failure while getting initial credentials
>>
>> Which makes no sense. The account works with a 7.1 client but not a 6.x
>> client?? And yet "admin" works, no matter what. What am I missing here?
> Have you recently changed the user password ?
> If so this symptom may indicate you are having replication issues
> between your servers, and one of the client is hitting the server that
> didn't get the keys replicated to it.
>
> Simo.
>
None of the above -- All the servers are replicated. The user account (a
test account) has not changed PW in weeks and works everywhere else. I
nee to increase some logging. I guess the strange part is as mentioned
-- it works if you login directly to the 7.1 client, no matter which
server it is pointed at.
~J
More information about the Freeipa-users
mailing list