(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_tgt_recv] 
(0x0400): Child responded: 14 [Client not found in Kerberos database], expired 
on [0]
(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_kinit_done] 
(0x0100): Could not get TGT: 14 [Bad address]
(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] 
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret 
[1432158219](Authentication Failed)
(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] 
[_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called 
from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2023

This means the client is not enrolled to IPA or it’s using a different 
principal that it’s supposed to. It is attempting kinit with 
host/ab01.sg.aws.example.com <http://ab01.sg.aws.example.com/> and the IPA 
server doesn’t know this principal.

You can reproduce the same thing with “kinit -k”. Btw seeing this is AWS, 
please check if the hostname or the value of ipa_hostname matches the hostnames 
in the keytab (see "klist -k”).

> On 10 Aug 2017, at 06:18, Supratik Goswami <supratiksek...@gmail.com> wrote:
> <sssd_logs.log>

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to