Linux OSBN/Ubuntuusers Planet XING / LinkedIn / Amazon

Short tip: kinit: Cannot read password while getting initial credentials

While registering a client system with a FreeIPA server I recently stumbled upon the following error message:

# ipa-client-install
...
User authorized to enroll computers: admin
...
Kerberos authentication failed
kinit: Cannot read password while getting initial credentials

After wasting quite a lot of time with analyzing configuration files and also SELinux I remembered that the cause for this issue can be quite simple. Try to generate a Kerberos ticket using kinit when receiving error messages like this – it is possible that the password simply expired:

# kinit admin@STANKOWIC.LOC
Password for admin@STANKOWIC.LOC: 
Password expired.  You must change it now.
Enter new password: 
Enter it again:

Another common issue is that time stamps have a too big difference between Kerberos client and server. Make sure to always synchronize your time settings with NTP.

Sharing is caring

4 Comments Add New Comment

  1. Ek C. says:

    Greeting Christian,
    Your post saves my time.
    I am playing with vm images for RHCSA and encounter a similar error.

    Could you share how you find the cause is password expiration?

    1. Christian says:

      Hey Ek C.
      When retrieving a Kerberos ticket, you will receive an error message regarding the expired password. On the other hand, you could check the user within FreeIPA as there is also a hint about expired passwords.

      Does this help?

      Best wishes,
      Christian.

  2. Andrei says:

    I’m praising you now man! wasted a day in my work trying to figure this shit out, trying many different approaches, but this one was what saved me!
    Thank you so much!

    Ek C.

Leave a Reply

Your email address will not be published. Required fields are marked *