On la, 10 helmi 2018, John Ratliff via FreeIPA-users wrote:
On 2/6/2018 5:04 PM, Robbie Harwood wrote:
>John Ratliff via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
>writes:
>
>>I'm having problems with kinit and a 2FA enabled account.
>>
>>When I run kinit by itself, it says 'kinit: Generic preauthentication
>>failure while getting initial credentials'.
>>
>>I saw on the wiki where that problem is solved by doing one of two
>>things. You can login with the admin account (or some other non-2FA
>>account). When I do that, it asks for the OTP, but then I get a similar
>>error message:
>>
>>$ klist
>>Ticket cache: FILE:/tmp/krb5cc_760400007
>>Default principal: admin(a)IDM.XXX.NET
>>
>>Valid starting Expires Service principal
>>02/06/2018 15:58:04 02/07/2018 15:57:52 krbtgt/IDM.XXX.NET(a)IDM.XXX.NET
>>
>>$ kinit -T FILE:/tmp/krb5cc_760400007 jratliff
>>Enter OTP Token Value:
>>kinit: Preauthentication failed while getting initial credentials
>>
>>The same thing happens when I try to do the anonymous authentication.
>>
>>I put the output of KRB5_TRACE here
https://pastebin.com/jpPDVUXi
>>
>>This happens on the CentOS 7.4 IdM server (Running 4.5 IPA) and a Debian
>>9 IdM client machine.
>
>Maybe take a look at the server logs and see if there's anything there.
>
>Thanks,
>--Robbie
>
I don't see anything useful in the logs. If I login with my key via
ssh and then do a su - jratliff, it gets me a token. I don't know what
su - is doing that the kinit -n steps I saw isn't, but I guess this is
a workaround.
su - as non-root would run PAM stack for you through pam_sss and thus
SSSD would do a dance, using host principal for a FAST channel and then
your principal to obtain actual ticket using your creds.
Do you have ideas of what logs specifically I should check? I posted
the output of the trace, but it didn't mean much to me.
The trace you published
is client-side. Robbie asked for the server
logs. Can you check /var/log/krb5kdc.log on the server during the time
you did that request from the client? It would show which requests this
particular client did send.
--
/ Alexander Bokovoy