Andrew Meyer wrote: > my host is asm-dns01.meyer.local That didn't answer the question. The question was which host is an IPA master?
The -s argument of ipa-getkeytab should be an IPA master. Near as I can tell you used the host you want to generate the keytab for and not an IPA master. rob > > > On Monday, November 20, 2017 4:57 PM, Rob Crittenden > <rcrit...@redhat.com> wrote: > > > Andrew Meyer wrote: >> [andrew.meyer@asm-rancid02 <mailto:andrew.meyer@asm-rancid02> ~]$ > ldapsearch -LL -x -ZZ -H >> ldap://asm-dns01.meyer.local -b '' -s base vendorName >> version: 1 >> >> dn: >> vendorName: 389 Project >> >> [andrew.meyer@asm-rancid02 <mailto:andrew.meyer@asm-rancid02> ~]$ >> >> [andrew.meyer@asm-rancid02 <mailto:andrew.meyer@asm-rancid02> ~]$ > ipa-getkeytab -p >> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s >> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab >> Unable to initialize STARTTLS session >> Failed to bind to server! >> Retrying with pre-4.0 keytab retrieval method... >> Unable to initialize STARTTLS session >> Failed to bind to server! >> Failed to get keytab >> [andrew.meyer@asm-rancid02 <mailto:andrew.meyer@asm-rancid02> ~]$ > > What host is your IPA server? You used asm-dns01.meyer.local for the > LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab. > > rob > >> >> >> >> On Monday, November 20, 2017 4:42 PM, Rob Crittenden >> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: >> >> >> Robbie Harwood via FreeIPA-users wrote: >> >>> Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> >>> writes: >>> >>>> [root@asm-rancid02 <mailto:root@asm-rancid02> > <mailto:root@asm-rancid02 <mailto:root@asm-rancid02>> keytabs]# > ipa-getkeytab >> -s asm-rancid02.mgt.asm.borg.local. -p >> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab >>>> Unable to initialize STARTTLS session >>>> Failed to bind to server! >>>> Retrying with pre-4.0 keytab retrieval method... >>>> Unable to initialize STARTTLS session >>>> Failed to bind to server! >>>> Failed to get keytab >>>> [root@asm-rancid02 <mailto:root@asm-rancid02> > <mailto:root@asm-rancid02 <mailto:root@asm-rancid02>> keytabs]# > >>>> >>>> Do I need to generate a keytab first? Should this be generated when I >>>> add the server to the domain/realm? >>> >>> This looks like it wasn't able to connect properly, so it hasn't reached >>> the point where Kerberos is involved. >>> >>> Keytabs are generated when the machine is enrolled in the realm. >> >> >> The host keytab is generated by ipa-clinet-install. Service keytabs need >> to be retrieved separately using ipa-getkeytab. >> >> It's strange that the starttls is failing. The 389-ds access log may >> have some information on the connection failure. >> >> To exercise it you can do something like: >> >> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base vendorName >> >> rob >> >> >> > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
