my host is asm-dns01.meyer.local  

    On Monday, November 20, 2017 4:57 PM, Rob Crittenden <rcrit...@redhat.com> 
wrote:
 

 Andrew Meyer wrote:
> [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H
> ldap://asm-dns01.meyer.local -b '' -s base vendorName
> version: 1
> 
> dn:
> vendorName: 389 Project
> 
> [andrew.meyer@asm-rancid02 ~]$
> 
> [andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p
> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval method...
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Failed to get keytab
> [andrew.meyer@asm-rancid02 ~]$

What host is your IPA server? You used asm-dns01.meyer.local for the
LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.

rob

> 
> 
> 
> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
> <rcrit...@redhat.com> wrote:
> 
> 
> Robbie Harwood via FreeIPA-users wrote:
> 
>> Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>> writes:
>>
>>> [root@asm-rancid02 <mailto:root@asm-rancid02> keytabs]# ipa-getkeytab
> -s asm-rancid02.mgt.asm.borg.local. -p
> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Retrying with pre-4.0 keytab retrieval method...
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Failed to get keytab
>>> [root@asm-rancid02 <mailto:root@asm-rancid02> keytabs]#
>>>
>>> Do I need to generate a keytab first?  Should this be generated when I
>>> add the server to the domain/realm?
>>
>> This looks like it wasn't able to connect properly, so it hasn't reached
>> the point where Kerberos is involved.
>>
>> Keytabs are generated when the machine is enrolled in the realm.
> 
> 
> The host keytab is generated by ipa-clinet-install. Service keytabs need
> to be retrieved separately using ipa-getkeytab.
> 
> It's strange that the starttls is failing. The 389-ds access log may
> have some information on the connection failure.
> 
> To exercise it you can do something like:
> 
> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName
> 
> rob
> 
> 
> 



   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to