Petr Spacek wrote:
On 27.2.2013 11:34, Jan-Frode Myklebust wrote:
On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:


< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 16:54:21 GMT
< Server: Apache/2.2.15 (CentOS)
* gss_init_sec_context() failed: : Server krbtgt/c...@example.com not
found in Kerberos database< WWW-Authenticate: Negotiate

I have a similar problem getting a couple of RHEL 6.4 clients working
with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
ipa-client-install I get:

    * gss_init_sec_context() failed: : Request is a replay<
WWW-Authenticate: Negotiate
This is very suspicious. Could you double check time on all servers and
the client?

I have a ticket opened with RH-support for this (00796525), so I hope
to get it fixed that way soonish.. but -- one strange thing about my
problem is that I can't even get sssd working if I do a manual
enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
ipa-getkeytab on the ipa-server, transferred the keytab, but still
sssd fails to work. To get sssd working on this machine I had to
configure an LDAP backend against the ipa-servers, without
"ldap_sasl_mech=GSSAPI".

Is there a simple way to verify that the hosts keytab is OK?
"klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd
like to test it against the ipa-server.

You can do kinit as host principal:

$ klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- ---------------------------------
    2 10/17/12 15:22:19 host/host.example....@example.com

$ kinit -kt /etc/krb5.keytab host/host.example....@example.com

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/host.example....@example.com

Valid starting     Expires            Service principal
02/27/13 11:45:02  02/28/13 11:45:02  krbtgt/example....@example.com


You can use kvno to see what the KDC things the version number should be, to compare to what is in the keytab.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to