Albert Szostkiewicz via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Thanks for reply Rob! > >> /var/log/krb5kdc.log might have more details on the GSS failures, or the >> journal. > > Yeah, I've checked that as well. Unfortunately 'Preauthentication > failed' Was no more explanatory to me. Here, it means that a mismatch has occurred between the keytab and the KDC's view of the world. "preauthentication" is the first part of requesting a Kerberos ticket from the KDC in a modern workflow, wherein the client proves its identity to the server. I would guess that, if you ran `kvno HTTP/ipa.home.mydomain.com`, it would not match the kvno listed in your webserer's keytab. Probably at some point a new keytab was issued, incrementing the kvno, but it wasn't copied to this server. Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
