Some additional information.  I can't seem to use the CLI either. 
Perhaps that is expected:

# kinit admin
Password for ad...@example.com:

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
Default principal: ad...@example.com

Valid starting     Expires            Service principal
21/12/16 15:29:20  22/12/16 15:29:17  krbtgt/example....@example.com

# ipa host-find
ipa: ERROR: Insufficient access:  Invalid credentials

When I do that (the ipa host-find) /var/log/krb5kdc.log says:

Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 
17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for 
HTTP/server.example....@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 
17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
1482352160, etypes {rep=18 tkt=18 ses=18}, HTTP/server.example....@example.com 
for ldap/server.example....@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... 
CONSTRAINED-DELEGATION s4u-client=ad...@example.com
Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12

Not sure if that's helpful or not but it's something new (to me) so I
thought I would add it to the case.

Most unfortunately I need to access IPA to do some configuration
changes so this is getting more unfortunate than just some errors in a
log now.  :-(

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to