On to, 02 tammi 2020, Petar Kozić via FreeIPA-users wrote:
I miss that I have this file, actually that is link file because I’m using
docker.
/etc/krb5.keytab
If I run *klist -kt /etc/krb5.keytab* I get
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
2 04/05/2019 10:05:50 host/[email protected]
2 04/05/2019 10:05:50 host/[email protected]
2 04/05/2019 10:05:50 host/[email protected]
2 04/05/2019 10:05:50 host/[email protected]
2 04/05/2019 10:05:50 host/[email protected]
2 04/05/2019 10:05:50 host/[email protected]
*—*
*Petar Kozić*
On January 2, 2020 at 7:59:13 PM, Petar Kozić ([email protected]) wrote:
I also noticed this file doesn’t exists
MEMORY:/etc/krb5.keytab
Please help me if someone knows. This is very important service for me.
Thank you !
*—*
*Petar Kozic*
On January 2, 2020 at 7:46:33 PM, Petar Kozić ([email protected]) wrote:
Hi,
I’m using my IPA server in docker. I’m using that server last more than 8-9
months for ssh login.
Everything works well till few hours before.
I can’t login to ssh and I get this strange error:
[sssd[ldap_child[2171]]][2171]: Failed to initialize credentials using
keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to
create GSSAPI-encrypted LDAP connection.
Someone have idea how to solve this?
The in-memory keytab is something SSSD copies the keys from
/etc/krb5.keytab into for own internal operations, it is OK to not being
able to access it.
Your problem is different. 'Pre-authentication failed' is Kerberos speak
for a wrong key (or password) used by the client. This means you have
different key in the keytab (/etc/krb5.keytab) and in the KDC database.
What you need to do:
- check which key version number is in your /etc/krb5.keytab with
klist -k -t /etc/krb5.keytab -- your output above shows that KVNO
value is '2'.
- use the following to query for a KVNO number as seen by the KDC:
kinit admin
kvno -S host myipaserver
If the output of 'kvno' command shows different number, you need to
synchronize the keytab and the key in the IPA KDC database. To do that,
you can use ipa-getkeytab command:
kinit admin
ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume -p
host/myipaserver
This will force re-generation of the host keytab for myipaserver machine
and will store new keys in the krb5.keytab file that is on the container
volume. After this SSSD should be able to use it.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
