Didn't see the original thread... but guessing as to the issue; IPA w. ipaclient uses aes256-cts-sha-96 with random salt to encrypt session keys and principals keytabs.
Things that generate a keytab using ktutil for example will fail, it does not take the random salt string as part of the 'addent' call so this creates issues. If IPAclient is in use then the ipa-getkeytab must be used. On Tue, Jan 16, 2018 at 9:20 AM, Greg Hudson <ghud...@mit.edu> wrote: > On 01/10/2018 11:03 AM, lejeczek wrote:> krb5kdc[606061](info): preauth > (encrypted_timestamp) verify > > failure: Preauthentication failed > > One would normally see this error if the wrong key or password was used > to authenticate. So there might be a mismatch between the keytab file > on the initiating host and the KDC. As I am not familiar with FreeIPA > (only Kerberos), I don't know how that might have come about. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
