Thank you, I had tried it both ways with same results. Just misunderstood 
documentation I guess so tried the -S to try to force it to use the service 
keytab for authentication.

kinit -k -t /opt/oracle/admin/oracledb.keytab
kinit: Keytab contains no suitable keys for 
host/oracledbsrvr.example....@example.com while getting initial credentials
Simo just responded that I had the command wrong. I re-ran it as he indicated 
and received a service ticket. Thank you both so much.


      From: Alexander Bokovoy <aboko...@redhat.com>
 To: sipazzo <sipa...@yahoo.com> 
Cc: Freeipa-users <freeipa-users@redhat.com> 
 Sent: Tuesday, June 30, 2015 12:16 PM
 Subject: Re: [Freeipa-users] keytab issue with service principal
   




----- Original Message -----
> I am trying to troubleshoot kerberos authentication for an oracle service
> (oracledb) and getting the following error when testing the service keytab
> on the database server (oracledbsrvr):
> 
> oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S
> oracledb/oracledbsrvr.example.com
> kinit: Keytab contains no suitable keys for
> host/oracledbsrvr.example....@example.com while getting initial credentials
Remove -S option, just specify your oracledb/`hostname` principal.

With -S option your oracledb/`hostname` principal is consumed by the -S option 
and then default principal is what you are authenticating with.
Which means "I want to obtain credentials to oracledb/`hostname` service, not 
krbtgt/example....@example.com, but I'll be authenticating as host/`hostname` 
for that."

But when you are using host/`hostname`, your keytab is supposed to contain keys 
for this principal. kinit doesn't see them there and fails.

Why did you choose to use -S option?
-- 
/ Alexander Bokovoy


   
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to