>I'm not sure what happened originally nor if using ktutil broke things >further. We typically don't recommend directly using Kerberos utilities in >favor of using IPA-provided commands. The Kerberos utilities are not >well-tested for interoperability with IPA. Not saying that's related but we >don't test it.
>You might try using ipa-getkeytab to get a new ds.keytab key version but with >the ldap keytab being bad I'm doubtful that this will succeed. It's a >chicken-and-egg scenario. >rob I decided to start over with the IPA server and clients. So I uninstalled everything, installed the IPA server, and installed the client on another server. I can't login on the client server using a FreeIPA user, it always says permission denied when using ssh. I'm getting the following errors in the krb5_child.log: * (2024-07-23 15:12:54): [krb5_child[5765]] [get_and_save_tgt] (0x0400): [RID#650] Attempting kinit for realm [CAPS.INT] * (2024-07-23 15:12:54): [krb5_child[5765]] [sss_krb5_responder] (0x4000): [RID#650] Got question [password]. * (2024-07-23 15:12:54): [krb5_child[5765]] [get_and_save_tgt] (0x0020): [RID#650] 2350: [-1765328360][Preauthentication failed] Thanks, Bryan
krb5_child.log
Description: Binary data
sssd_caps.int.log
Description: Binary data
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
