Oddly enough the keytab location on the replica is sort of empty ...

 ls -al /var/lib/sss/keytabs/

total 4
drwx------. 2 sssd sssd  32 Dec 23 13:58 .
drwxr-xr-x. 9 root root  94 Dec 19 17:05 ..
-rw-------  1 sssd sssd 219 Dec 20 20:40 company.org.keytab

Jakub Hrozek wrote:
In addition, can you also see if the keytab with the trust principal is
there? Probably it would be /var/lib/sss/keytabs/shanetest.org.

At15:43:11,  sssd tried to fetch the keytab for this trust:
(ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] 
[ipa_server_trusted_dom_setup_1way] (0x0400): Will re-fetch keytab for 
(ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_getkeytab_send] 
(0x0400): Retrieving keytab forcompanyidm$@SHANETEST.ORG  from 
usaeilidmp002.companyidm.org into 
/var/lib/sss/keytabs/shanetest.org.keytabRw7Iai using ccache 

But fails:
SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Failed to get keytab
(ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_getkeytab_done] 
(0x0040): ipa-getkeytab failed with status [2304]
(ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_getkeytab_recv] 
(0x2000): ipa-getkeytab status 2304
(ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] 
[ipa_server_trust_1way_kt_done] (0x0080): ipa_getkeytab_recv failed: 1432158265

What I don't see in the logs, though is that if we try and re-fetch the
keytab after going online (we should, though).

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to