On 15/05/2023 19:00, Charles Hedrick via FreeIPA-users wrote:
I just upgraded from redhat 9.0 to 9.2 on a set of kerberos servers,
fortunately a test system. I can't kinit as existing users. If I add a
user I can kinit as them. Changing the password doesn't help. krb5kdc says
May 15 13:58:30 krb1.cs.rutgers.edu krb5kdc[652884](info): AS_REQ (4
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)})
128.6.157.187: HANDLE_AUTHDATA: c...@cs.rutgers.edu for
kadmin/chang...@cs.rutgers.edu, No such file or directory
The only difference I see in ldap attributes between the existing and
new user is that the new user has
ipaNTSecurityIdentifier: S-1-5-21-3719230765-1403434741-3275474567-88461
and
objectClass: ipantuserattrs
We are not using anything Windows-related
You need to run 'ipa config-mod --enable-sid --add-sids' on one of your
servers. See
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts>.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
