Short tip: kinit: Cannot read password while getting initial credentials

While registering a client system with a FreeIPA server I recently stumbled upon the following error message:

# ipa-client-install
User authorized to enroll computers: admin
Kerberos authentication failed
kinit: Cannot read password while getting initial credentials

After wasting quite a lot of time with analyzing configuration files and also SELinux I remembered that the cause for this issue can be quite simple. Try to generate a Kerberos ticket using kinit when receiving error messages like this – it is possible that the password simply expired:

# kinit admin@STANKOWIC.LOC
Password for admin@STANKOWIC.LOC: 
Password expired.  You must change it now.
Enter new password: 
Enter it again:

Another common issue is that time stamps have a too big difference between Kerberos client and server. Make sure to always synchronize your time settings with NTP.

Sharing is caring

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInShare on XingShare on RedditPrint this pageEmail this to someone

Leave a Reply