Guy Matz wrote:
Sorry, should have mentioned that. I had host principal and have since
added ldap:
# klist -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
I now get this error:
Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context Invalid credentials
with this in my krb5.log:
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
DNS/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
{rep=18 tkt=18 ses=18}, DNS/[email protected] for
krbtgt/[email protected]
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
{rep=18 tkt=18 ses=18}, HTTP/[email protected] for
ldap/[email protected]
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
CONSTRAINED-DELEGATION s4u-client=DNS/[email protected]
Do I need to add DNS too?
I'm not quite sure what your goal is.
I thought you had created a user for the purpose of creating hosts and
you wanted to delegate permissions to that user.
Is this what you've done? If so, what roles is the user a member of, and
what privileges are associated with that role?
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
