On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
> Hi guys
> 
> I've just installed a RHEL7 server with ipa-server 4.2.0...
> 
> Everything seems to work fine, until I add a service principle:
> 
> (Running on a client, after a kinit)
> 
> [root@dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p 
> HTTP/naboo.outerrim....@outerrim.lan -k /etc/krb5.keytab
> Keytab successfully retrieved and stored in: /etc/krb5.keytab

ipa-getkeytab will always create a new key unless you use the --retrieve
option.

It looks like you call ipa-getkeytab on the host dantooine, so it will
create a new key for naboo but save it on dantooine. So the keytab on
naboo will still have the old key but the KDC will hand out service
tickets with the new key which naboo does not know about.

Please try to call ipa-getkeytab with the --retrieve option on naboo so
that the new key is available on naboo as well.

HTH

bye,
Sumit


> 
> 
> After running the command, the web-interface returns:
> 
> The password or username you entered is incorrect.
> 
> when I try to login, and the "ipa" command has stopped working as well (both 
> on the server and client):
> 
> 
> [root@dantooine ~]# ipa user-show admin
> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (KDC 
> returned error string: 2ND_TKT_SERVER)
> [root@dantooine ~]# 
> [root@dantooine ~]# kdestroy
> [root@dantooine ~]# kinit admin
> Password for ad...@outerrim.lan: 
> [root@dantooine ~]# ipa user-show admin
> ipa: ERROR: cannot connect to 'https://naboo.outerrim.lan/ipa/json': 
> Unauthorized
> 
> 
> /var/log/httpd/error_log on the server gives me:
> 
> ValueError: non-generic 'CCacheError' needs format=None; got 
> format="(-1765328353, 'Decrypt integrity check failed')"
> 
> 
> What did I do wrong here???
> 
> Regards
> 
> Martin Juhl
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to