However I cant LDAP/Ipa authenticate still....on either client..........

So what next?


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 10 March 2011 10:47 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote:
> Hi,
> I have gone into the webgui and manually removed the no1 client/host, it
> has now joined successfully...
> So Yes, the next issue....
> regards

I'm going to try to consolidate a few things here from some other responses.

* You do not need to pre-create the host in order to enroll it using
kerberos credentials. It is ok if the host already exists but not
absolutely required.

* When a host is unenrolled it uses its own credentials (the service
principal in /etc/krb5.keytab host/client.example....@example.com) to
authenticate to IPA and say "I'm done with these credentials." If you
lack this principal it cannot authenticate to IPA to say "I'm done with
these credentials." If a keytab was actually created for this host and
the contents are lost then you will need to manually free it up for
enrollment again either with:

# ipa host-disable client.example.com


# ipa host-del client.example.com

You can see if a keytab was issued with:

# ipa host-show client.example.com

Look for Keytab: True

* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to
tracking SSL certificates and 1029 only applies if you used the
--hostname option with ipa-client-install.

* ipa-rmkeytab is client side only. It just removes the principals for a
specific host or realm from a keytab file. It has no effect on the
server at all.



Freeipa-users mailing list

Reply via email to