Short tip: kinit: Cannot read password while getting initial credentials

While registering a client system with a FreeIPA server I recently stumbled upon the following error message:

1# ipa-client-install
2...
3User authorized to enroll computers: admin
4...
5Kerberos authentication failed
6kinit: Cannot read password while getting initial credentials

After wasting quite a lot of time with analyzing configuration files and also SELinux I remembered that the cause for this issue can be quite simple. Try to generate a Kerberos ticket using kinit when receiving error messages like this - it is possible that the password simply expired:

1# kinit admin@STANKOWIC.LOC
2Password for admin@STANKOWIC.LOC:
3Password expired.  You must change it now.
4Enter new password:
5Enter it again:

Another common issue is that time stamps have a too big difference between Kerberos client and server. Make sure to always synchronize your time settings with NTP.