Thank you, I had tried it both ways with same results. Just misunderstood documentation I guess so tried the -S to try to force it to use the service keytab for authentication.
kinit -k -t /opt/oracle/admin/oracledb.keytab kinit: Keytab contains no suitable keys for host/oracledbsrvr.example....@example.com while getting initial credentials Simo just responded that I had the command wrong. I re-ran it as he indicated and received a service ticket. Thank you both so much. From: Alexander Bokovoy <aboko...@redhat.com> To: sipazzo <sipa...@yahoo.com> Cc: Freeipa-users <firstname.lastname@example.org> Sent: Tuesday, June 30, 2015 12:16 PM Subject: Re: [Freeipa-users] keytab issue with service principal ----- Original Message ----- > I am trying to troubleshoot kerberos authentication for an oracle service > (oracledb) and getting the following error when testing the service keytab > on the database server (oracledbsrvr): > > oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for > host/oracledbsrvr.example....@example.com while getting initial credentials Remove -S option, just specify your oracledb/`hostname` principal. With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with. Which means "I want to obtain credentials to oracledb/`hostname` service, not krbtgt/example....@example.com, but I'll be authenticating as host/`hostname` for that." But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails. Why did you choose to use -S option? -- / Alexander Bokovoy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project