Thanks. Yes, I have realized the error of my ways . . . seems I have just needed the user to have "Host Administration" privileges. Thanks again, Guy
On 06/03/2013 09:16 AM, Simo Sorce wrote: > On Fri, 2013-05-31 at 18:45 +0000, Guy Matz wrote: >> Sorry, should have mentioned that. I had host principal and have since >> added ldap: >> # klist -k krb5.keytab >> Keytab name: FILE:krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 3 host/ipadevmstr.collmedia....@collmedia.net >> 3 host/ipadevmstr.collmedia....@collmedia.net >> 3 host/ipadevmstr.collmedia....@collmedia.net >> 3 host/ipadevmstr.collmedia....@collmedia.net >> 3 ldap/ipadevmstr.collmedia....@collmedia.net >> 3 ldap/ipadevmstr.collmedia....@collmedia.net >> 3 ldap/ipadevmstr.collmedia....@collmedia.net >> 3 ldap/ipadevmstr.collmedia....@collmedia.net >> >> I now get this error: >> Insufficient access: SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context Invalid credentials >> >> with this in my krb5.log: >> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 >> etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH: >> DNS/ipadevmstr.collmedia....@collmedia.net for >> krbtgt/collmedia....@collmedia.net, Additional pre-authentication required >> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4 >> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes >> {rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia....@collmedia.net for >> krbtgt/collmedia....@collmedia.net >> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4 >> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes >> {rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia....@collmedia.net for >> ldap/ipadevmstr.collmedia....@collmedia.net >> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ... >> CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia....@collmedia.net >> >> Do I need to add DNS too? > No, and you shouldn;t have added ldap/fqdn either as you are not hosting > an LDAP server. > > Just FYI: there is no error in the snippet above, the 'NEEDED_PREAUTH' > message is normal and does not imply there is any error in the system. > > Simo. > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users