On 10/13/2017 11:23 AM, Rob Crittenden wrote:
Sounds like the keytab is out-of-sync. Try this:

# klist -kt /etc/krb5.keytab

Note the kvno

On a machine you can kinit on:

$ kinit admin
$ kvno <principal of non-working client)

The kvno should match that of the keytab. If not you'll need to regenerate it.

Note that by default ipa-getkeytab generates new keys every time it is executed.

rob
The kvno matches:
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net

kvno host/rad.astacalaska....@neonova.net
host/rad.astacalaska....@neonova.net: kvno = 1

On a side note, on the problem box, I can 'kinit admin' and supply the correct NEONOVA.NET admin password without problems. If I do a 'klist' with no params, I get this:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@neonova.net

Valid starting     Expires            Service principal
10/13/17 10:13:37  10/14/17 10:13:05 krbtgt/neonova....@neonova.net

And when I run 'klist' on the server that I ran kvno on I get this:

[root@rad0 pki]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@neonova.net

Valid starting     Expires            Service principal
10/13/17 12:57:04  10/14/17 12:56:51 krbtgt/neonova....@neonova.net
10/13/17 12:57:33  10/14/17 12:56:51 host/rad.astacalaska....@neonova.net

I can also run kvno on the problem server and it outputs the same:

[root@rad pki]# kvno host/rad.astacalaska....@neonova.net
host/rad.astacalaska....@neonova.net: kvno = 1

So, I'm at a total loss as to the problem.  It looks like IPA authentication works (at least with kinit), but it's not for other accounts.

--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to