Short tip: kinit: Cannot read password while getting initial credentials

While registering a client system with a FreeIPA server I recently stumbled upon the following error message:

# ipa-client-install
User authorized to enroll computers: admin
Kerberos authentication failed
kinit: Cannot read password while getting initial credentials

After wasting quite a lot of time with analyzing configuration files and also SELinux I remembered that the cause for this issue can be quite simple. Try to generate a Kerberos ticket using kinit when receiving error messages like this – it is possible that the password simply expired:

# kinit admin@STANKOWIC.LOC
Password for admin@STANKOWIC.LOC: 
Password expired.  You must change it now.
Enter new password: 
Enter it again:

Another common issue is that time stamps have a too big difference between Kerberos client and server. Make sure to always synchronize your time settings with NTP.

Sharing is caring

4 comments Write a comment

  1. Greeting Christian,
    Your post saves my time.
    I am playing with vm images for RHCSA and encounter a similar error.

    Could you share how you find the cause is password expiration?

    • Hey Ek C.
      When retrieving a Kerberos ticket, you will receive an error message regarding the expired password. On the other hand, you could check the user within FreeIPA as there is also a hint about expired passwords.

      Does this help?

      Best wishes,

  2. I’m praising you now man! wasted a day in my work trying to figure this shit out, trying many different approaches, but this one was what saved me!
    Thank you so much!

    Ek C.

Leave a Reply