While registering a client system with a FreeIPA server I recently stumbled upon the following error message:
# ipa-client-install ... User authorized to enroll computers: admin ... Kerberos authentication failed kinit: Cannot read password while getting initial credentials
After wasting quite a lot of time with analyzing configuration files and also SELinux I remembered that the cause for this issue can be quite simple. Try to generate a Kerberos ticket using kinit when receiving error messages like this – it is possible that the password simply expired:
# kinit admin@STANKOWIC.LOC Password for admin@STANKOWIC.LOC: Password expired. You must change it now. Enter new password: Enter it again:
Another common issue is that time stamps have a too big difference between Kerberos client and server. Make sure to always synchronize your time settings with NTP.