Amos via FreeIPA-users wrote: > no dice.... > > [root@aisffcgi08 ~]# kinit admin > Password for [email protected] <mailto:[email protected]>: > > [root@aisffcgi08 ~]# ipa-getkeytab -s ipasrv01.ipa.x.org > <http://ipasrv01.ipa.x.org> -k /etc/krb5.keytab -p > host/ipasrv01.ipa.x.org <http://ipasrv01.ipa.x.org> > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > [root@aisffcgi08 ~]# klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 1 08/30/2019 13:06:14 host/[email protected] > <mailto:[email protected]> (aes256-cts-hmac-sha1-96) > 1 08/30/2019 13:06:14 host/[email protected] > <mailto:[email protected]> (aes128-cts-hmac-sha1-96) > 1 08/30/2019 13:06:14 host/[email protected] > <mailto:[email protected]> (aes256-cts-hmac-sha384-192) > 1 08/30/2019 13:06:14 host/[email protected] > <mailto:[email protected]> (aes128-cts-hmac-sha256-128) > 1 08/30/2019 13:06:14 host/[email protected] > <mailto:[email protected]> (des3-cbc-sha1) > 1 08/30/2019 13:06:14 host/[email protected] > <mailto:[email protected]> (arcfour-hmac) > 3 01/16/2020 10:49:51 host/[email protected] > <mailto:[email protected]> (aes256-cts-hmac-sha1-96) > 3 01/16/2020 10:49:51 host/[email protected] > <mailto:[email protected]> (aes128-cts-hmac-sha1-96) > 4 01/16/2020 10:52:10 host/[email protected] > <mailto:[email protected]> (aes256-cts-hmac-sha1-96) > 4 01/16/2020 10:52:10 host/[email protected] > <mailto:[email protected]> (aes128-cts-hmac-sha1-96) > > [root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org > <http://ipasrv01.ipa.x.org> > host/[email protected] <mailto:[email protected]>: > kvno = 2 > > Why does the klist command show KVNO of 3 and 4 for ipasrv01? Where is > it getting that from?
Because you requested that principal in your ipa-getkeytab command, rather than host/[email protected]. The -p argument. rob > Jan 16 11:06:28 aisffcgi08 [sssd[ldap_child[58885]]]: Failed to > initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection > > At least in my case, the error did not go away. I suspect I can just > remove it as an IPA client and then add it back, but was trying to > understand if there was a less extreme way to resolve this, and why it > occurred in the first place. > > Amos > > > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
