Thank you, I solved the problem. Problem was in network on ipa server. Thanks.
On Fri, Jan 3, 2020, 19:24 Alexander Bokovoy <[email protected]> wrote: > On to, 02 tammi 2020, Petar Kozić via FreeIPA-users wrote: > >I miss that I have this file, actually that is link file because I’m using > >docker. > > > >/etc/krb5.keytab > > > >If I run *klist -kt /etc/krb5.keytab* I get > > > >Keytab name: FILE:/etc/krb5.keytab > >KVNO Timestamp Principal > >---- ------------------- > >------------------------------------------------------ > > 2 04/05/2019 10:05:50 host/[email protected] > > 2 04/05/2019 10:05:50 host/[email protected] > > 2 04/05/2019 10:05:50 host/[email protected] > > 2 04/05/2019 10:05:50 host/[email protected] > > 2 04/05/2019 10:05:50 host/[email protected] > > 2 04/05/2019 10:05:50 host/[email protected] > > > >*—* > > > >*Petar Kozić* > > > >On January 2, 2020 at 7:59:13 PM, Petar Kozić ([email protected]) > wrote: > > > >I also noticed this file doesn’t exists > > > >MEMORY:/etc/krb5.keytab > > > > > >Please help me if someone knows. This is very important service for me. > > > >Thank you ! > > > >*—* > > > >*Petar Kozic* > > > >On January 2, 2020 at 7:46:33 PM, Petar Kozić ([email protected]) > wrote: > > > >Hi, > >I’m using my IPA server in docker. I’m using that server last more than > 8-9 > >months for ssh login. > >Everything works well till few hours before. > >I can’t login to ssh and I get this strange error: > > > >[sssd[ldap_child[2171]]][2171]: Failed to initialize credentials using > >keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to > >create GSSAPI-encrypted LDAP connection. > > > >Someone have idea how to solve this? > > The in-memory keytab is something SSSD copies the keys from > /etc/krb5.keytab into for own internal operations, it is OK to not being > able to access it. > > Your problem is different. 'Pre-authentication failed' is Kerberos speak > for a wrong key (or password) used by the client. This means you have > different key in the keytab (/etc/krb5.keytab) and in the KDC database. > > What you need to do: > - check which key version number is in your /etc/krb5.keytab with > klist -k -t /etc/krb5.keytab -- your output above shows that KVNO > value is '2'. > > - use the following to query for a KVNO number as seen by the KDC: > kinit admin > kvno -S host myipaserver > > If the output of 'kvno' command shows different number, you need to > synchronize the keytab and the key in the IPA KDC database. To do that, > you can use ipa-getkeytab command: > > kinit admin > ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume > -p host/myipaserver > > This will force re-generation of the host keytab for myipaserver machine > and will store new keys in the krb5.keytab file that is on the container > volume. After this SSSD should be able to use it. > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
