Hi, I’m using my IPA server in docker. I’m using that server last more than 8-9 months for ssh login. Everything works well till few hours before. I can’t login to ssh and I get this strange error:
[sssd[ldap_child[2171]]][2171]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Someone have idea how to solve this?
Thank you. *—*
*Petar Kozić*
I also noticed this file doesn’t exists
MEMORY:/etc/krb5.keytab
Please help me if someone knows. This is very important service for me.
Thank you !
*—*
*Petar Kozic*
On January 2, 2020 at 7:46:33 PM, Petar Kozić (petar.kozic@mint.rs) wrote:
Hi, I’m using my IPA server in docker. I’m using that server last more than 8-9 months for ssh login. Everything works well till few hours before. I can’t login to ssh and I get this strange error:
[sssd[ldap_child[2171]]][2171]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Someone have idea how to solve this?
Thank you. *—*
*Petar Kozić*
I miss that I have this file, actually that is link file because I’m using docker.
/etc/krb5.keytab
If I run *klist -kt /etc/krb5.keytab* I get
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM
*—*
*Petar Kozić*
On January 2, 2020 at 7:59:13 PM, Petar Kozić (petar.kozic@mint.rs) wrote:
I also noticed this file doesn’t exists
MEMORY:/etc/krb5.keytab
Please help me if someone knows. This is very important service for me.
Thank you !
*—*
*Petar Kozic*
On January 2, 2020 at 7:46:33 PM, Petar Kozić (petar.kozic@mint.rs) wrote:
Hi, I’m using my IPA server in docker. I’m using that server last more than 8-9 months for ssh login. Everything works well till few hours before. I can’t login to ssh and I get this strange error:
[sssd[ldap_child[2171]]][2171]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Someone have idea how to solve this?
Thank you. *—*
*Petar Kozić*
On to, 02 tammi 2020, Petar Kozić via FreeIPA-users wrote:
I miss that I have this file, actually that is link file because I’m using docker.
/etc/krb5.keytab
If I run *klist -kt /etc/krb5.keytab* I get
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM
*—*
*Petar Kozić*
On January 2, 2020 at 7:59:13 PM, Petar Kozić (petar.kozic@mint.rs) wrote:
I also noticed this file doesn’t exists
MEMORY:/etc/krb5.keytab
Please help me if someone knows. This is very important service for me.
Thank you !
*—*
*Petar Kozic*
On January 2, 2020 at 7:46:33 PM, Petar Kozić (petar.kozic@mint.rs) wrote:
Hi, I’m using my IPA server in docker. I’m using that server last more than 8-9 months for ssh login. Everything works well till few hours before. I can’t login to ssh and I get this strange error:
[sssd[ldap_child[2171]]][2171]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Someone have idea how to solve this?
The in-memory keytab is something SSSD copies the keys from /etc/krb5.keytab into for own internal operations, it is OK to not being able to access it.
Your problem is different. 'Pre-authentication failed' is Kerberos speak for a wrong key (or password) used by the client. This means you have different key in the keytab (/etc/krb5.keytab) and in the KDC database.
What you need to do: - check which key version number is in your /etc/krb5.keytab with klist -k -t /etc/krb5.keytab -- your output above shows that KVNO value is '2'.
- use the following to query for a KVNO number as seen by the KDC: kinit admin kvno -S host myipaserver
If the output of 'kvno' command shows different number, you need to synchronize the keytab and the key in the IPA KDC database. To do that, you can use ipa-getkeytab command:
kinit admin ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume -p host/myipaserver
This will force re-generation of the host keytab for myipaserver machine and will store new keys in the krb5.keytab file that is on the container volume. After this SSSD should be able to use it.
Thank you, I solved the problem. Problem was in network on ipa server. Thanks.
On Fri, Jan 3, 2020, 19:24 Alexander Bokovoy abokovoy@redhat.com wrote:
On to, 02 tammi 2020, Petar Kozić via FreeIPA-users wrote:
I miss that I have this file, actually that is link file because I’m using docker.
/etc/krb5.keytab
If I run *klist -kt /etc/krb5.keytab* I get
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM 2 04/05/2019 10:05:50 host/myipaserver@REALM.COM
*—*
*Petar Kozić*
On January 2, 2020 at 7:59:13 PM, Petar Kozić (petar.kozic@mint.rs)
wrote:
I also noticed this file doesn’t exists
MEMORY:/etc/krb5.keytab
Please help me if someone knows. This is very important service for me.
Thank you !
*—*
*Petar Kozic*
On January 2, 2020 at 7:46:33 PM, Petar Kozić (petar.kozic@mint.rs)
wrote:
Hi, I’m using my IPA server in docker. I’m using that server last more than
8-9
months for ssh login. Everything works well till few hours before. I can’t login to ssh and I get this strange error:
[sssd[ldap_child[2171]]][2171]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Someone have idea how to solve this?
The in-memory keytab is something SSSD copies the keys from /etc/krb5.keytab into for own internal operations, it is OK to not being able to access it.
Your problem is different. 'Pre-authentication failed' is Kerberos speak for a wrong key (or password) used by the client. This means you have different key in the keytab (/etc/krb5.keytab) and in the KDC database.
What you need to do:
check which key version number is in your /etc/krb5.keytab with klist -k -t /etc/krb5.keytab -- your output above shows that KVNO value is '2'.
use the following to query for a KVNO number as seen by the KDC: kinit admin kvno -S host myipaserver
If the output of 'kvno' command shows different number, you need to synchronize the keytab and the key in the IPA KDC database. To do that, you can use ipa-getkeytab command:
kinit admin ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume -p host/myipaserver
This will force re-generation of the host keytab for myipaserver machine and will store new keys in the krb5.keytab file that is on the container volume. After this SSSD should be able to use it.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Oddly enough, I'm experiencing this on one of our IPA clients as well. However, I have some questions...
On Fri, Jan 3, 2020 at 12:25 PM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The in-memory keytab is something SSSD copies the keys from /etc/krb5.keytab into for own internal operations, it is OK to not being able to access it.
Your problem is different. 'Pre-authentication failed' is Kerberos speak for a wrong key (or password) used by the client. This means you have different key in the keytab (/etc/krb5.keytab) and in the KDC database.
What you need to do:
check which key version number is in your /etc/krb5.keytab with klist -k -t /etc/krb5.keytab -- your output above shows that KVNO value is '2'.
use the following to query for a KVNO number as seen by the KDC: kinit admin kvno -S host myipaserver
If the output of 'kvno' command shows different number, you need to synchronize the keytab and the key in the IPA KDC database. To do that, you can use ipa-getkeytab command:
kinit admin ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume -p host/myipaserver
Is this done on the client system that is reporting the error, or on the IPA server? Also....
This will force re-generation of the host keytab for myipaserver machine
and will store new keys in the krb5.keytab file that is on the container volume. After this SSSD should be able to use it.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
The KVNO number is different on the main IPA server (ipasrv01) and on the IPA replica (ipasrv02). Is this a problem? If so, how do I fix it?
[root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org host/ipasrv01.ipa.x.org@IPA.X.ORG: kvno = 2 [root@ipasrv01 ~]# kvno -S host ipasrv02.ipa.x.org host/ipasrv02.ipa.x.org@IPA.X.ORG: kvno = 1
Amos
Amos via FreeIPA-users wrote:
Oddly enough, I'm experiencing this on one of our IPA clients as well. However, I have some questions...
On Fri, Jan 3, 2020 at 12:25 PM Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
The in-memory keytab is something SSSD copies the keys from /etc/krb5.keytab into for own internal operations, it is OK to not being able to access it. Your problem is different. 'Pre-authentication failed' is Kerberos speak for a wrong key (or password) used by the client. This means you have different key in the keytab (/etc/krb5.keytab) and in the KDC database. What you need to do: - check which key version number is in your /etc/krb5.keytab with klist -k -t /etc/krb5.keytab -- your output above shows that KVNO value is '2'. - use the following to query for a KVNO number as seen by the KDC: kinit admin kvno -S host myipaserver If the output of 'kvno' command shows different number, you need to synchronize the keytab and the key in the IPA KDC database. To do that, you can use ipa-getkeytab command: kinit admin ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume -p host/myipaserverIs this done on the client system that is reporting the error, or on the IPA server? Also....
On the machine reporting the Pre-auth failed error.
This will force re-generation of the host keytab for myipaserver machine and will store new keys in the krb5.keytab file that is on the container volume. After this SSSD should be able to use it. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, FinlandThe KVNO number is different on the main IPA server (ipasrv01) and on the IPA replica (ipasrv02). Is this a problem? If so, how do I fix it?
[root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org http://ipasrv01.ipa.x.org host/ipasrv01.ipa.x.org@IPA.X.ORG mailto:ipasrv01.ipa.x.org@IPA.X.ORG: kvno = 2 [root@ipasrv01 ~]# kvno -S host ipasrv02.ipa.x.org http://ipasrv02.ipa.x.org host/ipasrv02.ipa.x.org@IPA.X.ORG mailto:ipasrv02.ipa.x.org@IPA.X.ORG: kvno = 1
This is not a problem.
rob
no dice....
[root@aisffcgi08 ~]# kinit admin Password for admin@IPA.X.ORG:
[root@aisffcgi08 ~]# ipa-getkeytab -s ipasrv01.ipa.x.org -k /etc/krb5.keytab -p host/ipasrv01.ipa.x.org Keytab successfully retrieved and stored in: /etc/krb5.keytab
[root@aisffcgi08 ~]# klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG (aes256-cts-hmac-sha1-96) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG (aes128-cts-hmac-sha1-96) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG (aes256-cts-hmac-sha384-192) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG (aes128-cts-hmac-sha256-128) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG (des3-cbc-sha1) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG (arcfour-hmac) 3 01/16/2020 10:49:51 host/ipasrv01.ipa.x.org@IPA.X.ORG (aes256-cts-hmac-sha1-96) 3 01/16/2020 10:49:51 host/ipasrv01.ipa.x.org@IPA.X.ORG (aes128-cts-hmac-sha1-96) 4 01/16/2020 10:52:10 host/ipasrv01.ipa.x.org@IPA.X.ORG (aes256-cts-hmac-sha1-96) 4 01/16/2020 10:52:10 host/ipasrv01.ipa.x.org@IPA.X.ORG (aes128-cts-hmac-sha1-96)
[root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org host/ipasrv01.ipa.x.org@IPA.X.ORG: kvno = 2
Why does the klist command show KVNO of 3 and 4 for ipasrv01? Where is it getting that from?
Jan 16 11:06:28 aisffcgi08 [sssd[ldap_child[58885]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection
At least in my case, the error did not go away. I suspect I can just remove it as an IPA client and then add it back, but was trying to understand if there was a less extreme way to resolve this, and why it occurred in the first place.
Amos
Amos via FreeIPA-users wrote:
no dice....
[root@aisffcgi08 ~]# kinit admin Password for admin@IPA.X.ORG mailto:admin@IPA.X.ORG:
[root@aisffcgi08 ~]# ipa-getkeytab -s ipasrv01.ipa.x.org http://ipasrv01.ipa.x.org -k /etc/krb5.keytab -p host/ipasrv01.ipa.x.org http://ipasrv01.ipa.x.org Keytab successfully retrieved and stored in: /etc/krb5.keytab
[root@aisffcgi08 ~]# klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG mailto:aisffcgi08.x.org@IPA.X.ORG (aes256-cts-hmac-sha1-96) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG mailto:aisffcgi08.x.org@IPA.X.ORG (aes128-cts-hmac-sha1-96) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG mailto:aisffcgi08.x.org@IPA.X.ORG (aes256-cts-hmac-sha384-192) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG mailto:aisffcgi08.x.org@IPA.X.ORG (aes128-cts-hmac-sha256-128) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG mailto:aisffcgi08.x.org@IPA.X.ORG (des3-cbc-sha1) 1 08/30/2019 13:06:14 host/aisffcgi08.x.org@IPA.X.ORG mailto:aisffcgi08.x.org@IPA.X.ORG (arcfour-hmac) 3 01/16/2020 10:49:51 host/ipasrv01.ipa.x.org@IPA.X.ORG mailto:ipasrv01.ipa.x.org@IPA.X.ORG (aes256-cts-hmac-sha1-96) 3 01/16/2020 10:49:51 host/ipasrv01.ipa.x.org@IPA.X.ORG mailto:ipasrv01.ipa.x.org@IPA.X.ORG (aes128-cts-hmac-sha1-96) 4 01/16/2020 10:52:10 host/ipasrv01.ipa.x.org@IPA.X.ORG mailto:ipasrv01.ipa.x.org@IPA.X.ORG (aes256-cts-hmac-sha1-96) 4 01/16/2020 10:52:10 host/ipasrv01.ipa.x.org@IPA.X.ORG mailto:ipasrv01.ipa.x.org@IPA.X.ORG (aes128-cts-hmac-sha1-96)
[root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org http://ipasrv01.ipa.x.org host/ipasrv01.ipa.x.org@IPA.X.ORG mailto:ipasrv01.ipa.x.org@IPA.X.ORG: kvno = 2
Why does the klist command show KVNO of 3 and 4 for ipasrv01? Where is it getting that from?
Because you requested that principal in your ipa-getkeytab command, rather than host/aisffcgi08.x.org@IPA.X.ORG. The -p argument.
rob
Jan 16 11:06:28 aisffcgi08 [sssd[ldap_child[58885]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection
At least in my case, the error did not go away. I suspect I can just remove it as an IPA client and then add it back, but was trying to understand if there was a less extreme way to resolve this, and why it occurred in the first place.
Amos
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Amos -
Petar Kozić -
Rob Crittenden