On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:
> >
> >
> >< HTTP/1.1 401 Authorization Required
> >< Date: Tue, 26 Feb 2013 16:54:21 GMT
> >< Server: Apache/2.2.15 (CentOS)
> >* gss_init_sec_context() failed: : Server krbtgt/c...@example.com not found 
> >in Kerberos database< WWW-Authenticate: Negotiate

I have a similar problem getting a couple of RHEL 6.4 clients working
with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
ipa-client-install I get:

        * gss_init_sec_context() failed: : Request is a replay< 
WWW-Authenticate: Negotiate

I have a ticket opened with RH-support for this (00796525), so I hope
to get it fixed that way soonish.. but -- one strange thing about my
problem is that I can't even get sssd working if I do a manual
enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
ipa-getkeytab on the ipa-server, transferred the keytab, but still 
sssd fails to work. To get sssd working on this machine I had to 
configure an LDAP backend against the ipa-servers, without
"ldap_sasl_mech=GSSAPI".

Is there a simple way to verify that the hosts keytab is OK? 
"klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd 
like to test it against the ipa-server.



  -jf

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to