subject:"\[Freeipa\-users\] Re\: adding service"

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users

I think I figured it out.  When I issue the command to get the keytab I'm 
exporting and I was trying to overwrite the /etc/krb5.keytab file. I was not 
running this as root rather as a regular user.  Should I overwrite the default 
krb5.keytab file?  
I'm working on documenting all of my steps.
Thank you, 

On Monday, November 20, 2017 5:54 PM, Andrew Meyer via FreeIPA-users 
 wrote:
 

 My apologies.  asm-dns01.meyer.local is my FreeIPA master. 

On Monday, November 20, 2017 5:46 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer wrote:
> my host is asm-dns01.meyer.local 

That didn't answer the question. The question was which host is an IPA
master?

The -s argument of ipa-getkeytab should be an IPA master. Near as I can
tell you used the host you want to generate the keytab for and not an
IPA master.

rob

> 
> 
> On Monday, November 20, 2017 4:57 PM, Rob Crittenden
>  wrote:
> 
> 
> Andrew Meyer wrote:
>> [andrew.meyer@asm-rancid02  ~]$
> ldapsearch -LL -x -ZZ -H
>> ldap://asm-dns01.meyer.local -b '' -s base vendorName
>> version: 1
>>
>> dn:
>> vendorName: 389 Project
>>
>> [andrew.meyer@asm-rancid02  ~]$
>>
>> [andrew.meyer@asm-rancid02  ~]$
> ipa-getkeytab -p
>> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
>> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [andrew.meyer@asm-rancid02  ~]$
> 
> What host is your IPA server? You used asm-dns01.meyer.local for the
> LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.
> 
> rob
> 
>>
>>
>>
>> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
>> mailto:rcrit...@redhat.com>> wrote:
>>
>>
>> Robbie Harwood via FreeIPA-users wrote:
>>
>>> Andrew Meyer via FreeIPA-users  
>>  >>
>>> writes:
>>>
 [root@asm-rancid02 
> > keytabs]#
> ipa-getkeytab
>> -s asm-rancid02.mgt.asm.borg.local. -p
>> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
 Unable to initialize STARTTLS session
 Failed to bind to server!
 Retrying with pre-4.0 keytab retrieval method...
 Unable to initialize STARTTLS session
 Failed to bind to server!
 Failed to get keytab
 [root@asm-rancid02 
> > keytabs]#
> 

 Do I need to generate a keytab first?  Should this be generated when I
 add the server to the domain/realm?
>>>
>>> This looks like it wasn't able to connect properly, so it hasn't reached
>>> the point where Kerberos is involved.
>>>
>>> Keytabs are generated when the machine is enrolled in the realm.
>>
>>
>> The host keytab is generated by ipa-clinet-install. Service keytabs need
>> to be retrieved separately using ipa-getkeytab.
>>
>> It's strange that the starttls is failing. The 389-ds access log may
>> have some information on the connection failure.
>>
>> To exercise it you can do something like:
>>
>> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName
>>
>> rob
>>
>>
>>
> 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users

My apologies.  asm-dns01.meyer.local is my FreeIPA master. 

On Monday, November 20, 2017 5:46 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer wrote:
> my host is asm-dns01.meyer.local 

That didn't answer the question. The question was which host is an IPA
master?

The -s argument of ipa-getkeytab should be an IPA master. Near as I can
tell you used the host you want to generate the keytab for and not an
IPA master.

rob

> 
> 
> On Monday, November 20, 2017 4:57 PM, Rob Crittenden
>  wrote:
> 
> 
> Andrew Meyer wrote:
>> [andrew.meyer@asm-rancid02  ~]$
> ldapsearch -LL -x -ZZ -H
>> ldap://asm-dns01.meyer.local -b '' -s base vendorName
>> version: 1
>>
>> dn:
>> vendorName: 389 Project
>>
>> [andrew.meyer@asm-rancid02  ~]$
>>
>> [andrew.meyer@asm-rancid02  ~]$
> ipa-getkeytab -p
>> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
>> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [andrew.meyer@asm-rancid02  ~]$
> 
> What host is your IPA server? You used asm-dns01.meyer.local for the
> LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.
> 
> rob
> 
>>
>>
>>
>> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
>> mailto:rcrit...@redhat.com>> wrote:
>>
>>
>> Robbie Harwood via FreeIPA-users wrote:
>>
>>> Andrew Meyer via FreeIPA-users  
>>  >>
>>> writes:
>>>
 [root@asm-rancid02 
> > keytabs]#
> ipa-getkeytab
>> -s asm-rancid02.mgt.asm.borg.local. -p
>> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
 Unable to initialize STARTTLS session
 Failed to bind to server!
 Retrying with pre-4.0 keytab retrieval method...
 Unable to initialize STARTTLS session
 Failed to bind to server!
 Failed to get keytab
 [root@asm-rancid02 
> > keytabs]#
> 

 Do I need to generate a keytab first?  Should this be generated when I
 add the server to the domain/realm?
>>>
>>> This looks like it wasn't able to connect properly, so it hasn't reached
>>> the point where Kerberos is involved.
>>>
>>> Keytabs are generated when the machine is enrolled in the realm.
>>
>>
>> The host keytab is generated by ipa-clinet-install. Service keytabs need
>> to be retrieved separately using ipa-getkeytab.
>>
>> It's strange that the starttls is failing. The 389-ds access log may
>> have some information on the connection failure.
>>
>> To exercise it you can do something like:
>>
>> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName
>>
>> rob
>>
>>
>>
> 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Rob Crittenden via FreeIPA-users

Andrew Meyer wrote:
> my host is asm-dns01.meyer.local 

That didn't answer the question. The question was which host is an IPA
master?

The -s argument of ipa-getkeytab should be an IPA master. Near as I can
tell you used the host you want to generate the keytab for and not an
IPA master.

rob

> 
> 
> On Monday, November 20, 2017 4:57 PM, Rob Crittenden
>  wrote:
> 
> 
> Andrew Meyer wrote:
>> [andrew.meyer@asm-rancid02  ~]$
> ldapsearch -LL -x -ZZ -H
>> ldap://asm-dns01.meyer.local -b '' -s base vendorName
>> version: 1
>>
>> dn:
>> vendorName: 389 Project
>>
>> [andrew.meyer@asm-rancid02  ~]$
>>
>> [andrew.meyer@asm-rancid02  ~]$
> ipa-getkeytab -p
>> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
>> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [andrew.meyer@asm-rancid02  ~]$
> 
> What host is your IPA server? You used asm-dns01.meyer.local for the
> LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.
> 
> rob
> 
>>
>>
>>
>> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
>> mailto:rcrit...@redhat.com>> wrote:
>>
>>
>> Robbie Harwood via FreeIPA-users wrote:
>>
>>> Andrew Meyer via FreeIPA-users  
>>  >>
>>> writes:
>>>
 [root@asm-rancid02 
> > keytabs]#
> ipa-getkeytab
>> -s asm-rancid02.mgt.asm.borg.local. -p
>> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
 Unable to initialize STARTTLS session
 Failed to bind to server!
 Retrying with pre-4.0 keytab retrieval method...
 Unable to initialize STARTTLS session
 Failed to bind to server!
 Failed to get keytab
 [root@asm-rancid02 
> > keytabs]#
> 

 Do I need to generate a keytab first?  Should this be generated when I
 add the server to the domain/realm?
>>>
>>> This looks like it wasn't able to connect properly, so it hasn't reached
>>> the point where Kerberos is involved.
>>>
>>> Keytabs are generated when the machine is enrolled in the realm.
>>
>>
>> The host keytab is generated by ipa-clinet-install. Service keytabs need
>> to be retrieved separately using ipa-getkeytab.
>>
>> It's strange that the starttls is failing. The 389-ds access log may
>> have some information on the connection failure.
>>
>> To exercise it you can do something like:
>>
>> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName
>>
>> rob
>>
>>
>>
> 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users

my host is asm-dns01.meyer.local  

On Monday, November 20, 2017 4:57 PM, Rob Crittenden  
wrote:
 

 Andrew Meyer wrote:
> [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H
> ldap://asm-dns01.meyer.local -b '' -s base vendorName
> version: 1
> 
> dn:
> vendorName: 389 Project
> 
> [andrew.meyer@asm-rancid02 ~]$
> 
> [andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p
> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval method...
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Failed to get keytab
> [andrew.meyer@asm-rancid02 ~]$

What host is your IPA server? You used asm-dns01.meyer.local for the
LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.

rob

> 
> 
> 
> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
>  wrote:
> 
> 
> Robbie Harwood via FreeIPA-users wrote:
> 
>> Andrew Meyer via FreeIPA-users  >
>> writes:
>>
>>> [root@asm-rancid02  keytabs]# ipa-getkeytab
> -s asm-rancid02.mgt.asm.borg.local. -p
> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Retrying with pre-4.0 keytab retrieval method...
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Failed to get keytab
>>> [root@asm-rancid02  keytabs]#
>>>
>>> Do I need to generate a keytab first?  Should this be generated when I
>>> add the server to the domain/realm?
>>
>> This looks like it wasn't able to connect properly, so it hasn't reached
>> the point where Kerberos is involved.
>>
>> Keytabs are generated when the machine is enrolled in the realm.
> 
> 
> The host keytab is generated by ipa-clinet-install. Service keytabs need
> to be retrieved separately using ipa-getkeytab.
> 
> It's strange that the starttls is failing. The 389-ds access log may
> have some information on the connection failure.
> 
> To exercise it you can do something like:
> 
> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName
> 
> rob
> 
> 
> 



   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Rob Crittenden via FreeIPA-users

Andrew Meyer wrote:
> [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H
> ldap://asm-dns01.meyer.local -b '' -s base vendorName
> version: 1
> 
> dn:
> vendorName: 389 Project
> 
> [andrew.meyer@asm-rancid02 ~]$
> 
> [andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p
> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval method...
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Failed to get keytab
> [andrew.meyer@asm-rancid02 ~]$

What host is your IPA server? You used asm-dns01.meyer.local for the
LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.

rob

> 
> 
> 
> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
>  wrote:
> 
> 
> Robbie Harwood via FreeIPA-users wrote:
> 
>> Andrew Meyer via FreeIPA-users  >
>> writes:
>>
>>> [root@asm-rancid02  keytabs]# ipa-getkeytab
> -s asm-rancid02.mgt.asm.borg.local. -p
> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Retrying with pre-4.0 keytab retrieval method...
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Failed to get keytab
>>> [root@asm-rancid02  keytabs]#
>>>
>>> Do I need to generate a keytab first?  Should this be generated when I
>>> add the server to the domain/realm?
>>
>> This looks like it wasn't able to connect properly, so it hasn't reached
>> the point where Kerberos is involved.
>>
>> Keytabs are generated when the machine is enrolled in the realm.
> 
> 
> The host keytab is generated by ipa-clinet-install. Service keytabs need
> to be retrieved separately using ipa-getkeytab.
> 
> It's strange that the starttls is failing. The 389-ds access log may
> have some information on the connection failure.
> 
> To exercise it you can do something like:
> 
> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName
> 
> rob
> 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users

Do I need to do any of this:
ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash --type=user 
--right=readipa privilege-add 'Radius services' --desc='Privileges needed to 
allow radiusd servers to operate'ipa privilege-add-permission 'Radius services' 
--permissions='ipaNTHash service read'ipa role-add 'Radius server' 
--desc="Radius server role"ipa role-add-privilege --privileges="Radius 
services" 'Radius server'
  

On Monday, November 20, 2017 4:54 PM, Andrew Meyer  
wrote:
 

 [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H 
ldap://asm-dns01.meyer.local -b '' -s base vendorNameversion: 1
dn:vendorName: 389 Project
[andrew.meyer@asm-rancid02 ~]$
[andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p 
'radiusd/asm-rancid02.mgt.asm.borg.local' -s asm-rancid02.mgt.asm.borg.local -k 
/etc/krb5.keytabUnable to initialize STARTTLS sessionFailed to bind to 
server!Retrying with pre-4.0 keytab retrieval method...Unable to initialize 
STARTTLS sessionFailed to bind to server!Failed to get 
keytab[andrew.meyer@asm-rancid02 ~]$
 

On Monday, November 20, 2017 4:42 PM, Rob Crittenden  
wrote:
 

 Robbie Harwood via FreeIPA-users wrote:
> Andrew Meyer via FreeIPA-users 
> writes:
> 
>> [root@asm-rancid02 keytabs]# ipa-getkeytab -s 
>> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local 
>> -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [root@asm-rancid02 keytabs]#
>>
>> Do I need to generate a keytab first?  Should this be generated when I
>> add the server to the domain/realm?
> 
> This looks like it wasn't able to connect properly, so it hasn't reached
> the point where Kerberos is involved.
> 
> Keytabs are generated when the machine is enrolled in the realm.

The host keytab is generated by ipa-clinet-install. Service keytabs need
to be retrieved separately using ipa-getkeytab.

It's strange that the starttls is failing. The 389-ds access log may
have some information on the connection failure.

To exercise it you can do something like:

$ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName

rob


   

   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users

[andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H 
ldap://asm-dns01.meyer.local -b '' -s base vendorNameversion: 1
dn:vendorName: 389 Project
[andrew.meyer@asm-rancid02 ~]$
[andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p 
'radiusd/asm-rancid02.mgt.asm.borg.local' -s asm-rancid02.mgt.asm.borg.local -k 
/etc/krb5.keytabUnable to initialize STARTTLS sessionFailed to bind to 
server!Retrying with pre-4.0 keytab retrieval method...Unable to initialize 
STARTTLS sessionFailed to bind to server!Failed to get 
keytab[andrew.meyer@asm-rancid02 ~]$
 

On Monday, November 20, 2017 4:42 PM, Rob Crittenden  
wrote:
 

 Robbie Harwood via FreeIPA-users wrote:
> Andrew Meyer via FreeIPA-users 
> writes:
> 
>> [root@asm-rancid02 keytabs]# ipa-getkeytab -s 
>> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local 
>> -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [root@asm-rancid02 keytabs]#
>>
>> Do I need to generate a keytab first?  Should this be generated when I
>> add the server to the domain/realm?
> 
> This looks like it wasn't able to connect properly, so it hasn't reached
> the point where Kerberos is involved.
> 
> Keytabs are generated when the machine is enrolled in the realm.

The host keytab is generated by ipa-clinet-install. Service keytabs need
to be retrieved separately using ipa-getkeytab.

It's strange that the starttls is failing. The 389-ds access log may
have some information on the connection failure.

To exercise it you can do something like:

$ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName

rob


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Rob Crittenden via FreeIPA-users

Robbie Harwood via FreeIPA-users wrote:
> Andrew Meyer via FreeIPA-users 
> writes:
> 
>> [root@asm-rancid02 keytabs]# ipa-getkeytab -s 
>> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local 
>> -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [root@asm-rancid02 keytabs]#
>>
>> Do I need to generate a keytab first?  Should this be generated when I
>> add the server to the domain/realm?
> 
> This looks like it wasn't able to connect properly, so it hasn't reached
> the point where Kerberos is involved.
> 
> Keytabs are generated when the machine is enrolled in the realm.

The host keytab is generated by ipa-clinet-install. Service keytabs need
to be retrieved separately using ipa-getkeytab.

It's strange that the starttls is failing. The 389-ds access log may
have some information on the connection failure.

To exercise it you can do something like:

$ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users

Not connecting to the FreeIPA server? 

   

 On Monday, November 20, 2017 4:36 PM, Robbie Harwood via FreeIPA-users 
 wrote:
 

 Andrew Meyer via FreeIPA-users 
writes:

> [root@asm-rancid02 keytabs]# ipa-getkeytab -s 
> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local -k 
> /etc/krb5.keytab
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval method...
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Failed to get keytab
> [root@asm-rancid02 keytabs]#
>
> Do I need to generate a keytab first?  Should this be generated when I
> add the server to the domain/realm?

This looks like it wasn't able to connect properly, so it hasn't reached
the point where Kerberos is involved.

Keytabs are generated when the machine is enrolled in the realm.

Thanks,
--Robbie
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

2017-11-20 Thread Robbie Harwood via FreeIPA-users

Andrew Meyer via FreeIPA-users 
writes:

> [root@asm-rancid02 keytabs]# ipa-getkeytab -s 
> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local -k 
> /etc/krb5.keytab
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval method...
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Failed to get keytab
> [root@asm-rancid02 keytabs]#
>
> Do I need to generate a keytab first?  Should this be generated when I
> add the server to the domain/realm?

This looks like it wasn't able to connect properly, so it hasn't reached
the point where Kerberos is involved.

Keytabs are generated when the machine is enrolled in the realm.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

[Freeipa-users] Re: adding service

10 matches

Site Navigation

Mail list logo

Footer information