Robbie Harwood via FreeIPA-users wrote: > Andrew Meyer via FreeIPA-users <email@example.com> > writes: > >> [root@asm-rancid02 keytabs]# ipa-getkeytab -s >> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local >> -k /etc/krb5.keytab >> Unable to initialize STARTTLS session >> Failed to bind to server! >> Retrying with pre-4.0 keytab retrieval method... >> Unable to initialize STARTTLS session >> Failed to bind to server! >> Failed to get keytab >> [root@asm-rancid02 keytabs]# >> >> Do I need to generate a keytab first? Should this be generated when I >> add the server to the domain/realm? > > This looks like it wasn't able to connect properly, so it hasn't reached > the point where Kerberos is involved. > > Keytabs are generated when the machine is enrolled in the realm.
The host keytab is generated by ipa-clinet-install. Service keytabs need to be retrieved separately using ipa-getkeytab. It's strange that the starttls is failing. The 389-ds access log may have some information on the connection failure. To exercise it you can do something like: $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base vendorName rob _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org