Robbie Harwood via FreeIPA-users wrote:
> Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
> 
>> [root@asm-rancid02 keytabs]# ipa-getkeytab -s 
>> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local 
>> -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [root@asm-rancid02 keytabs]#
>>
>> Do I need to generate a keytab first?  Should this be generated when I
>> add the server to the domain/realm?
> 
> This looks like it wasn't able to connect properly, so it hasn't reached
> the point where Kerberos is involved.
> 
> Keytabs are generated when the machine is enrolled in the realm.

The host keytab is generated by ipa-clinet-install. Service keytabs need
to be retrieved separately using ipa-getkeytab.

It's strange that the starttls is failing. The 389-ds access log may
have some information on the connection failure.

To exercise it you can do something like:

$ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to