mir mal via FreeIPA-users wrote:
Hi,
As in the title a very odd behaviour if I keep opening new ssh sessions using same IPA user after few successful ones I have ssh authentication failed error and in krb5 logs on freeipa server, I can see the following errors: Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64: NEEDED_PREAUTH: c000000@STUXNET.LAB for krbtgt/STUXNET.LAB@STUXNET.LAB, Additional pre-authentication required Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
At the same time, I can use the same user and connect to other hosts or use kinit or freeipa web portal. It looks like after N successful attempts I'm hitting some kind of time or max concurrent connections limit, but I can't find any related settings. It's standard Fedora-based freeipa 4.8.10 and hosts to connect are ubuntu. If I wait a few minutes I'm allowed to open another connection but then again if I try to open few I hit the error. I've been checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find why would it happen the only error is the one above with pre-auth.
I think you'll need to provide more details on your environment. What auth mechanism you're using for ssh, for example.
How certain are you that the pre-auth failure is related to the ssh failure? Are you thinking that on the remote side a kinit is happening upon login?
How is the connection failing on the remote side? sssd logging would be useful to see.
rob