On 21.12.2016 21:36, Brian J. Murrell wrote: > Some additional information. I can't seem to use the CLI either. > Perhaps that is expected: > > # kinit admin > Password for ad...@example.com: > > # klist > Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m > Default principal: ad...@example.com > > Valid starting Expires Service principal > 21/12/16 15:29:20 22/12/16 15:29:17 krbtgt/example....@example.com > > # ipa host-find > ipa: ERROR: Insufficient access: Invalid credentials > > When I do that (the ipa host-find) /var/log/krb5kdc.log says: > > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime > 1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for > HTTP/server.example....@example.com > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12 > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime > 1482352160, etypes {rep=18 tkt=18 ses=18}, > HTTP/server.example....@example.com for ldap/server.example....@example.com > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... > CONSTRAINED-DELEGATION s4u-client=ad...@example.com > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12 > > Not sure if that's helpful or not but it's something new (to me) so I > thought I would add it to the case. > > Most unfortunately I need to access IPA to do some configuration > changes so this is getting more unfortunate than just some errors in a > log now. :-(
Yes, this will be manifestation of the same problem. Interestingly the LDAP server should use the ds.keytab file instead of krb5.keytab. We need someone from DS team of with deep Kerberos/gssproxy knowledge to look into it. Simo, Ludwig, how can this happen? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project