972/24, 1:01 PM Cannot authenticate using Kerberos ater upgrading Red Hat Identity Management - Red Hat Customer Portal Subscriptions | Downloads | Red Hat Console | Get Support a Products & Services Knowledgebase Cannot authenticate using Kerberos after upgrading Red Hat Identity Management Cannot authenticate using Kerberos after upgrading Red Hat Identity Management @ SOLUTION VERIFIED - Updated May 30 2023 at 4:44 PM - English ~ Environment * Red Hat Enterprise Linux Server (RHEL) 9 + Red Hat Identity Management (idM) + ipa-server-4.10.1-3.e19 and newer Issue * After updating ipa-server to 4.18.1-3 or newer, domain users cannot login anymore with Kerberos. $ kinit test Password for test@EXAMPLE.COM: kinit: Generic error (see e-text) while getting initial credentials + KDC logsin /var/log/krbSkdc.1og might show the following error: May 25 10:19:05 Sdn.exanple.com krbSkdc{30843] (info): AS_REQ (4 etypes {aes256-cts- tmac-shai-96(18), aes256-cts-hmac-sha386-192(20), aesi28-cts-hnac-sha2s6-128(19), aes328-cts-hnac-shal-96(17)}) 127.@.0.1: HANDLE_AUTHOATA: test@EXAMPLE.COM for krbtgt/EXAMPLE.COM@CXANPLE.CON, No such file or directory Resolution * Run the SID generation task on idM server: nitpssaccess.reahat.comsoltionsi7015184 wr972/24, 1:01 PM Cannot authenticate using Kerberos ater upgrading Red Hat ldentty Management - Red Hat Customer Portal $ kinit admin $ ipa config-mod --enable-sid --add-sids * Check if a SID has been generated for the user: $ ipa user-show --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-198193297-2287641477-1368658080-1001, Root Cause Starting from version 4.10.1-3, ipa-server is built on Kerberos 1.20 which requires Kerberos tickets to contain a valid Privileged Attribute Certificate (PAC) with the user's SIDs. Tickets without a valid PAC are rejected. Diagnostic Steps Check if the impacted user has a generated security identifier: $ ipa user-show --all | grep ipantsecurityidentifier Product(s) Red Hat Identity Management Component ipa Category Upgrade Tags rhe! This solution is part of Red Hat's fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form. Was this helpful? YES No nitpssaccess.reahat.comsoltionsi7015184 ar972/24, 1:01 PM Cannot authenticate using Kerberos ater upgrading Red Hat Identty Management - Red Hat Customer Portal People who viewed this solution also viewed Trusted Active Directory users failed to log in IPA web UI- KDC error EVIDENCE_TKT_NOT_FC Solution - May 30, 2023 IPA command based on adminis failing with error "TGT has been revoked" Solution - Dec 23, 2023 Get notified when this content is updated Comments Add comment AD users are not able to ssh in to IPA client due to the No principal matching host/ipa- client.example.edu@AD.E found in keytab" in krb5_child.log file err Solution - Oct 9, 2017 FOLLOW Send notifications to content followers nitpssaccess.reahat.comsoltionsi7015184 Formatting Help ar972/24, 1:01 PM NEWBIE 12 Points. NEWBIE 5 Points Cannot authenticate using Kerberos ater upgrading Red Hat Identity Management - Red Hat Customer Portal Submit Jun 30, 2023 2:43 PM Tru [trvadn@wd22-2025 ~]$ rpm -q ipa-client ipa-server ipa-client-4.10.1-7.€19_2.x86_64 ipa-server-4.10.1-7.€19_2.x86_64 [truadm@ud22-2025 ~]$ ipa user-add toto --first=t --last-oto >> /dev/null & ipantsecurityidentifier: S-1-5-21-1850184615-507559960-4002686106-1009, [truadm@ud22-2025 ~]$ ipa user-del toto Deleted user "toto [truadm@ud22-2025 ~]$ ipa user-add toto --first= [truadm@ud22-2625 ~]$ ipa user-del toto --last=oto --uid=2000 >> Deleted user [truadm@ud22-2025 ~]$ ipa user-add toto --First= ipantsecurityidentifier: S-1-5-21-1850184615-507559960-4002686106-1099, --last=oto --uid=1759400 why can't | use --uid=2000 but huge interger value is fine? © Reply Nov 24, 2023 3:47 AM Thamizhdhasan Selvaraj We have approximately 200 users, all of whom utilize IDM. Some users rely on passwords to access JupyterLab. Following a system upgrade, setting passwords in IDM is successful. However, when attempting to use ‘kinit username’ and proceeding with the password, an error occurs: ‘kinit: htips:laccess redhat comisolutions/7015186 ar972/24, 1:01 PM NEWBIE 17 Points. Cannot authenticate using Kerberos ater upgrading Red Hat ldentty Management - Red Hat Customer Portal resolve this issue for existing users? testuser --all|grep ipantsecurityidentifier >> no output Could you please help me to fix it? © Reply Jan 5, 2024 4:29 PM Andreas Janster you have to add the SID manually # Idapmodify -h 127.0.0.1 -D “cn=Directory Manager" -W dn: uideajans,c changetype: modify add: objectClass \sers,cn=accounts, de=hsIn,de=ampri objectClass: ipantuserattrs add: ipantsecurityidentifier ipantsecurityidentifier: $-1-5-21-1003827706-901742914-3267927720-1003 EOF © Reply Jan 25, 2024 8:01 PM Chris St. John htips:laccess redhat comisolutions/7015186 Generic error (see e-text) while getting initial credentials.’ How can we | followed above solution but that's not worked for me. ipa user-show My OS: Red Hat Enterprise Linux release 9.2 (Plow) / and IPA rpm installed:ipa-server-4.10.1-8.el9_2.x86_64 =x < ID Ranges). | ran “ipa config-mod --enable-sid --add-sids" as stated in this article, but it did not add the SID to the user. | had to create the user with a UID within the specified range or letting the “ipa user-add" command generate it automatically, rpm -q ipa-server ipa-server-4,10.2-4,e19_3.1.x86_64 © Reply Red Hat Subscription Value About Red Hat Red Hat Jobs htips:laccess redhat comisolutions/7015186 er572124, +01 PM Cannot authenticate using Kerberos ater upgrading Red Hat ldentty Management - Red Hat Customer Portal Copyright © 2024 Red Hat, Inc htips:laccess redhat comisolutions/7015186 7"