----- Original Message -----
> I am trying to troubleshoot kerberos authentication for an oracle service
> (oracledb) and getting the following error when testing the service keytab
> on the database server (oracledbsrvr):
> oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S
> kinit: Keytab contains no suitable keys for
> host/oracledbsrvr.example....@example.com while getting initial credentials
Remove -S option, just specify your oracledb/`hostname` principal.
With -S option your oracledb/`hostname` principal is consumed by the -S option
and then default principal is what you are authenticating with.
Which means "I want to obtain credentials to oracledb/`hostname` service, not
krbtgt/example....@example.com, but I'll be authenticating as host/`hostname`
But when you are using host/`hostname`, your keytab is supposed to contain keys
for this principal. kinit doesn't see them there and fails.
Why did you choose to use -S option?
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project