I have a FreeIPA installation with many Pop!_OS 21.10 clients. Today
I upgraded one of the clients to Pop!_OS 22.04, and I can no longer authenticate with
FreeIPA on the upgraded client.
In krb5kdc.log file on the server, I can see the error 'verify failure: Incorrect
password in encrypted challenge'
=======
May 17 14:07:43
ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
192.168.10.14: NEEDED_PREAUTH: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM,
Additional pre-authentication required
May 17 14:07:43
ipa.myhost.com krb5kdc[301](info): closing down fd 12
May 17 14:07:43
ipa.myhost.com krb5kdc[302](info): preauth (encrypted_challenge) verify
failure: Incorrect password in encrypted challenge
May 17 14:07:43
ipa.myhost.com krb5kdc[302](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
192.168.10.14: PREAUTH_FAILED: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM,
Preauthentication failed
May 17 14:07:43
ipa.myhost.com krb5kdc[302](info): closing down fd 12
=======
If I try the same username/password on a Pop!_OS 21.10 client, I can login successfully
and I see the following log message. I tried multiple times with multiple users, and had
the same result.
=======
May 17 14:05:51
ipa.myhost.com krb5kdc[299](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
192.168.10.24: NEEDED_PREAUTH: joyce(a)MYHOST.COM for krbtgt/MYHOST.COM(a)MYHOST.COM,
Additional pre-authentication required
May 17 14:05:51
ipa.myhost.com krb5kdc[299](info): closing down fd 12
May 17 14:05:51
ipa.myhost.com krb5kdc[301](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
192.168.10.24: ISSUE: authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, joyce(a)MYHOST.COM for
krbtgt/MYHOST.COM(a)MYHOST.COM
May 17 14:05:51
ipa.myhost.com krb5kdc[301](info): closing down fd 12
May 17 14:05:51
ipa.myhost.com krb5kdc[300](info): TGS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)})
192.168.10.24: ISSUE: authtime 1652796351, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, joyce(a)MYHOST.COM for
host/ws024.office-mng.myhost.net(a)MYHOST.COM
May 17 14:05:51
ipa.myhost.com krb5kdc[300](info): closing down fd 12
=======
What changed in Ubuntu 22.04? Could this be due to incompatible encryption type?
Hi,
have you checked if the keyboard encoding changed and you have to type
the special characters of the password differently now?
bye,
Sumit