Some additional information. I can't seem to use the CLI either. Perhaps that is expected:
# kinit admin Password for [email protected]: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m Default principal: [email protected] Valid starting Expires Service principal 21/12/16 15:29:20 22/12/16 15:29:17 krbtgt/[email protected] # ipa host-find ipa: ERROR: Insufficient access: Invalid credentials When I do that (the ipa host-find) /var/log/krb5kdc.log says: Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 1482352160, etypes {rep=18 tkt=18 ses=18}, [email protected] for HTTP/[email protected] Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12 Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 1482352160, etypes {rep=18 tkt=18 ses=18}, HTTP/[email protected] for ldap/[email protected] Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... CONSTRAINED-DELEGATION [email protected] Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12 Not sure if that's helpful or not but it's something new (to me) so I thought I would add it to the case. Most unfortunately I need to access IPA to do some configuration changes so this is getting more unfortunate than just some errors in a log now. :-( Cheers, b.
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
