#9917 keytab auth issue: "Kerberos authentication error: kinit: Preauthentication failed while getting initial credentials"
Closed: Fixed 2 years ago by ttomecek. Opened 2 years ago by ttomecek.

Describe what you would like us to do:


We have a keytab packit@FEDORAPROJECT.ORG which was working fine for a long time but suddenly from last week we are getting the error message mentioned above; debug logs

[1307539] 1619776369.002053: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[1307539] 1619776369.002054: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)
[1307539] 1619776369.002055: Sending request (304 bytes) to FEDORAPROJECT.ORG
[1307539] 1619776369.002056: Resolving hostname id.fedoraproject.org
[1307539] 1619776370.168452: TLS certificate name matched "id.fedoraproject.org"
[1307539] 1619776370.168453: Sending HTTPS request to https 209.132.190.2:443
[1307539] 1619776370.168454: Received answer (312 bytes) from https 209.132.190.2:443
[1307539] 1619776370.168455: Terminating TCP connection to https 209.132.190.2:443
[1307539] 1619776370.168456: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[1307539] 1619776370.168457: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[1307539] 1619776370.168458: Response was from master KDC
[1307539] 1619776370.168459: Received error from KDC: -1765328360/Preauthentication failed
kinit: Preauthentication failed while getting initial credentials

I personally have no idea what this means.

Do we need a new keytab?

We have changed password for the packit user a week ago (after FAS migration) - could that be the problem?

Upstream ticket: https://github.com/packit/packit-service/issues/1077

When do you need this to be done by? (YYYY/MM/DD)


~


After changing password you will need to generate a new keytab.

You should be able to do this using the ipa-getkeytab command as outlined here https://www.ibm.com/support/pages/cloud-regenerate-new-keytab-file-after-user-password-change

OK, thanks. But what's the FQDN of the IPA server to retrieve the keytab from?

$ man ipa-getkeytab

-s ipaserver
              The IPA server to retrieve the keytab from (FQDN). If this option is not provided the server name is read from the IPA configuration file (/etc/ipa/default.conf).

I don't have any /etc/ipa/default.conf even with freeipa-client-common installed.

We tried the IPA serveri @abompard mentioned in another ticket, ipa01.iad2.fedoraproject.org, but it's not available on the internet.

I tried

$ ipa-getkeytab -s id.fedoraproject.org -p packit@FEDORAPROJECT.ORG -k ./fedora.keytab --password
New Principal Password: 
Verify Principal Password: 
Unable to create new TLS context (OpenSSL failed to initialize or to load certificates)
    Can't contact LDAP server
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to create new TLS context (OpenSSL failed to initialize or to load certificates)
    Can't contact LDAP server
Failed to bind to server!
Failed to get keytab

Metadata Update from @asaleh:
- Issue priority set to: Waiting on External (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble

2 years ago

Jirka probably forgot to reply here. We managed to generate a keytab using the guide and authenticate with it successfully. Thank you so much, Kevin!

Metadata Update from @ttomecek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata