Patterson, David via FreeIPA-users wrote: > Hello, > >  > > IPA version 4.6.8. > >  > > Got a host that doesnât allow user logins, but was joined at some point > to the domain. > > Everything that I can think of to check appears to be working > >                Log into client system with local credentials > >                Logs show invalid user attempts > > Client Keytab looks validâ¦..do these ever expire? > >                               Ktutil > >                                        >         read_kt /etc/krb5.keytab > >                                        >         list > >                                        >                         Shows > the host/hostname.domain > >                                        >         Quit > >                Cannot âid adminâ or âidâ any other > user > >                Can obtain Kerberos keys for admin > >                Can run ipa user-show for any user > >                System appears valid in idmweb gui > >                > > What did I miss? > >                Get a new keytab for the client with > ipa-getkeytab?
Maybe... > > Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Is there some server/client certs I should be > checking? No. I'd start with, as root, kinit -kt /etc/krb5.keytab That will tell you if the keytab is ok. You can also run klist -kt /etc/krb5.keytab and note the highest kvno. Then on a working system run kvno host/<host of client> and see if they match. If either fails use ipa-getkeytab to get a new one. I assume sssd is running? You might try their troubleshooting guide as well. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
