Mark Haney via FreeIPA-users wrote:
On 10/13/2017 10:21 AM, Rob Crittenden wrote:

So yeah, you've moving right along. I was in the middle of asking you
to check krb5.conf when this one came in :-)

So the reason the resubmit failed is certmonger tracks the location,
etc for certs to prevent duplicates (and racing at renewal time). You
can either drop a request using ipa-getcert stop-tracking -i <id>
I stopped tracking the old request and submitted a new one.

I'd check for SELinux issues on /etc/krb5.keytab. Perms should be 0600
SELinux is disabled on this box and permissions are correct.

Or maybe it's the keytab itself. You can tell via:

#  kinit -kt /etc/krb5.keytab

You need a key for the value of `hostname`.
This is what I get when checking the keytab itself:

kinit -kt /etc/krb5.keytab
kinit: Generic preauthentication failure while getting initial credentials

When I ran this on one of the other AK boxes I get no output at all.
Granted, all but 2 of these AK boxes were setup using
ipa-client-install, so I don't know if that matters or not.

Sounds like the keytab is out-of-sync. Try this:

# klist -kt /etc/krb5.keytab

Note the kvno

On a machine you can kinit on:

$ kinit admin
$ kvno <principal of non-working client)

The kvno should match that of the keytab. If not you'll need to regenerate it.

Note that by default ipa-getkeytab generates new keys every time it is executed.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to