On 10/13/2017 10:21 AM, Rob Crittenden wrote:

So yeah, you've moving right along. I was in the middle of asking you to check krb5.conf when this one came in :-)

So the reason the resubmit failed is certmonger tracks the location, etc for certs to prevent duplicates (and racing at renewal time). You can either drop a request using ipa-getcert stop-tracking -i <id>
I stopped tracking the old request and submitted a new one.

I'd check for SELinux issues on /etc/krb5.keytab. Perms should be 0600 root:root.
SELinux is disabled on this box and permissions are correct.

Or maybe it's the keytab itself. You can tell via:

#  kinit -kt /etc/krb5.keytab

You need a key for the value of `hostname`.
This is what I get when checking the keytab itself:

kinit -kt /etc/krb5.keytab
kinit: Generic preauthentication failure while getting initial credentials

When I ran this on one of the other AK boxes I get no output at all.  Granted, all but 2 of these AK boxes were setup using ipa-client-install, so I don't know if that matters or not.

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to