On Thu, 2016-12-22 at 08:24 +0100, Petr Spacek wrote: > On 21.12.2016 21:36, Brian J. Murrell wrote: > > Some additional information. I can't seem to use the CLI either. > > Perhaps that is expected: > > > > # kinit admin > > Password for ad...@example.com: > > > > # klist > > Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m > > Default principal: ad...@example.com > > > > Valid starting Expires Service principal > > 21/12/16 15:29:20 22/12/16 15:29:17 krbtgt/example....@example.com > > > > # ipa host-find > > ipa: ERROR: Insufficient access: Invalid credentials > > > > When I do that (the ipa host-find) /var/log/krb5kdc.log says: > > > > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes > > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime > > 1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for > > HTTP/server.example....@example.com > > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12 > > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes > > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime > > 1482352160, etypes {rep=18 tkt=18 ses=18}, > > HTTP/server.example....@example.com for ldap/server.example....@example.com > > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... > > CONSTRAINED-DELEGATION s4u-client=ad...@example.com > > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12 > > > > Not sure if that's helpful or not but it's something new (to me) so I > > thought I would add it to the case. > > > > Most unfortunately I need to access IPA to do some configuration > > changes so this is getting more unfortunate than just some errors in a > > log now. :-( > > Yes, this will be manifestation of the same problem. Interestingly the LDAP > server should use the ds.keytab file instead of krb5.keytab. > > We need someone from DS team of with deep Kerberos/gssproxy knowledge to look > into it. > > Simo, Ludwig, how can this happen?
As Martin said, incorrect configuration of DS makes it fall back to use the default keytab. Either /etc/sysconfig/dirsrv or the DS systemd unit file must specify the correct keytab in the KRB5_KTNAME environment variable. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project