Do I need to do any of this:
ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash --type=user 
--right=readipa privilege-add 'Radius services' --desc='Privileges needed to 
allow radiusd servers to operate'ipa privilege-add-permission 'Radius services' 
--permissions='ipaNTHash service read'ipa role-add 'Radius server' 
--desc="Radius server role"ipa role-add-privilege --privileges="Radius 
services" 'Radius server'
  

    On Monday, November 20, 2017 4:54 PM, Andrew Meyer <andrewm...@yahoo.com> 
wrote:
 

 [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H 
ldap://asm-dns01.meyer.local -b '' -s base vendorNameversion: 1
dn:vendorName: 389 Project
[andrew.meyer@asm-rancid02 ~]$
[andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p 
'radiusd/asm-rancid02.mgt.asm.borg.local' -s asm-rancid02.mgt.asm.borg.local -k 
/etc/krb5.keytabUnable to initialize STARTTLS sessionFailed to bind to 
server!Retrying with pre-4.0 keytab retrieval method...Unable to initialize 
STARTTLS sessionFailed to bind to server!Failed to get 
keytab[andrew.meyer@asm-rancid02 ~]$
 

    On Monday, November 20, 2017 4:42 PM, Rob Crittenden <rcrit...@redhat.com> 
wrote:
 

 Robbie Harwood via FreeIPA-users wrote:
> Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
> 
>> [root@asm-rancid02 keytabs]# ipa-getkeytab -s 
>> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local 
>> -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [root@asm-rancid02 keytabs]#
>>
>> Do I need to generate a keytab first?  Should this be generated when I
>> add the server to the domain/realm?
> 
> This looks like it wasn't able to connect properly, so it hasn't reached
> the point where Kerberos is involved.
> 
> Keytabs are generated when the machine is enrolled in the realm.

The host keytab is generated by ipa-clinet-install. Service keytabs need
to be retrieved separately using ipa-getkeytab.

It's strange that the starttls is failing. The 389-ds access log may
have some information on the connection failure.

To exercise it you can do something like:

$ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName

rob


   

   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to