Mark Haney via FreeIPA-users wrote:
On 10/13/2017 10:21 AM, Rob Crittenden wrote:
So yeah, you've moving right along. I was in the middle of asking you
to check krb5.conf when this one came in :-)
So the reason the resubmit failed is certmonger tracks the location,
etc for certs to prevent duplicates (and racing at renewal time). You
can either drop a request using ipa-getcert stop-tracking -i <id>
I stopped tracking the old request and submitted a new one.
I'd check for SELinux issues on /etc/krb5.keytab. Perms should be 0600
SELinux is disabled on this box and permissions are correct.
Or maybe it's the keytab itself. You can tell via:
# kinit -kt /etc/krb5.keytab
You need a key for the value of `hostname`.
This is what I get when checking the keytab itself:
kinit -kt /etc/krb5.keytab
kinit: Generic preauthentication failure while getting initial credentials
When I ran this on one of the other AK boxes I get no output at all.
Granted, all but 2 of these AK boxes were setup using
ipa-client-install, so I don't know if that matters or not.
Sounds like the keytab is out-of-sync. Try this:
# klist -kt /etc/krb5.keytab
Note the kvno
On a machine you can kinit on:
$ kinit admin
$ kvno <principal of non-working client)
The kvno should match that of the keytab. If not you'll need to
Note that by default ipa-getkeytab generates new keys every time it is
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org