[Freeipa-users] Re: Please help me find what broke down with my AD authentications

Fri, 12 Feb 2021 08:34:08 -0800 

On Fri, Feb 12, 2021 at 02:10:09PM -0000, Mike Conner via FreeIPA-users wrote:
> I'm afraid I don't know how to construct the right ipa-getkeytab command to 
> test. Do I run ipa-getkeytab on the client or on the ipa server? For the 
> [email protected] principal?

Hi,

SSSD calls

    KRB5CCNAME=/var/lib/sss/db/ccache_ipa.domain.edu /usr/sbin/ipa-getkeytab -r 
-s test.ipa.domain.edu -p '[email protected]' -k 
/var/lib/sss/keytabs/domain.edu.keytab-test

I added '-test' to the keytab name to not overwrite the ones created by
SSSD. The Kerberos credentail cache
/var/lib/sss/db/ccache_ipa.domain.edu has the Kerberos TGT of the host
account which should have the proper permissions to request a keytab.

HTH

bye,
Sumit

> 
> I thought about STARTTLS pointing to a certificate issue. The certs on the 
> ipa server are not expired:
> 
> getcert list | grep expires
>       expires: 2022-06-18 21:28:39 UTC
>       expires: 2022-05-24 03:14:46 UTC
>       expires: 2022-05-24 03:15:16 UTC
>       expires: 2022-05-24 03:14:56 UTC
>       expires: 2038-07-11 18:11:01 UTC
>       expires: 2022-05-24 03:14:38 UTC
>       expires: 2022-08-01 03:40:17 UTC
>       expires: 2022-06-15 03:14:35 UTC
>       expires: 2022-06-15 03:14:50 UTC
> 
> Could it be an issue with an expired certificate on the AD end?
> Thank you!
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to