On Fri, 2013-05-31 at 18:45 +0000, Guy Matz wrote: > Sorry, should have mentioned that. I had host principal and have since > added ldap: > # klist -k krb5.keytab > Keytab name: FILE:krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 host/[email protected] > 3 host/[email protected] > 3 host/[email protected] > 3 host/[email protected] > 3 ldap/[email protected] > 3 ldap/[email protected] > 3 ldap/[email protected] > 3 ldap/[email protected] > > I now get this error: > Insufficient access: SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context Invalid credentials > > with this in my krb5.log: > May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 > etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH: > DNS/[email protected] for > krbtgt/[email protected], Additional pre-authentication required > May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 > etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes > {rep=18 tkt=18 ses=18}, DNS/[email protected] for > krbtgt/[email protected] > May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4 > etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes > {rep=18 tkt=18 ses=18}, HTTP/[email protected] for > ldap/[email protected] > May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ... > CONSTRAINED-DELEGATION s4u-client=DNS/[email protected] > > Do I need to add DNS too?
No, and you shouldn;t have added ldap/fqdn either as you are not hosting an LDAP server. Just FYI: there is no error in the snippet above, the 'NEEDED_PREAUTH' message is normal and does not imply there is any error in the system. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
