Re: [Freeipa-users] "Failed to initialize credentials using keytab [default]" errors on functioning clients
On Tue, Feb 02, 2016 at 04:59:37PM -0800, Terence Kent wrote: > Hello, > > We’ve been using SSSD with FreeIPA very successfully for a while now - we > love it. Recently, we’ve noticed that all our linux hosts (All Ubuntu 14.04) > log the following message pretty regularly (several dozen times per day): > > "Failed to initialize credentials using keytab [default]: Generic error (see > e-text). Unable to create GSSAPI-encrypted LDAP connection.” > > Now, outside of this message, we have no symptoms that things aren’t > functioning properly. SSSD is properly recognizing changes whenever we update > our FreeIPA server. > > Can anyone point us in the right direction on how to fix this issue? So far, > we’ve done the following: > > 1. Verified the /etc/krb5.keytab seems to be fine (and it does). with kinit -k, right? > 2. Verified that changes to our FreeIPA servers properly get replicated to > the clients. strange, I would have thought that this would cause the client to go offline. Can you send the complete logs? Ideally ldap_child.log and sssd_$domain.log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] "Failed to initialize credentials using keytab [default]" errors on functioning clients
Hello, We’ve been using SSSD with FreeIPA very successfully for a while now - we love it. Recently, we’ve noticed that all our linux hosts (All Ubuntu 14.04) log the following message pretty regularly (several dozen times per day): "Failed to initialize credentials using keytab [default]: Generic error (see e-text). Unable to create GSSAPI-encrypted LDAP connection.” Now, outside of this message, we have no symptoms that things aren’t functioning properly. SSSD is properly recognizing changes whenever we update our FreeIPA server. Can anyone point us in the right direction on how to fix this issue? So far, we’ve done the following: 1. Verified the /etc/krb5.keytab seems to be fine (and it does). 2. Verified that changes to our FreeIPA servers properly get replicated to the clients. Thanks! Terence-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Failed to initialize credentials using keytab
Hi All, Server: RHEL 6.3 ipa-admintools-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Odd Error in /var/log/messages: Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Decrypt integrity check failed Jul 10 18:15:42 sysvm-ipa rhnsd[2194]: Red Hat Network Services Daemon starting up, check in interval 240 minutes. Jul 10 18:15:43 sysvm-ipa certmonger: Error setting up ccache for local host service using default keytab. I checked the servers ketab and as far as I can tell, it seems fine? [root@sysvm-ipa etc]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed to initialize credentials using keytab
does kinit -k host/sysvm-ipa.example@example.com work for you? On 07/10/2012 10:53 AM, free...@noboost.org wrote: Hi All, Server: RHEL 6.3 ipa-admintools-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Odd Error in /var/log/messages: Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Decrypt integrity check failed Jul 10 18:15:42 sysvm-ipa rhnsd[2194]: Red Hat Network Services Daemon starting up, check in interval 240 minutes. Jul 10 18:15:43 sysvm-ipa certmonger: Error setting up ccache for local host service using default keytab. I checked the servers ketab and as far as I can tell, it seems fine? [root@sysvm-ipa etc]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users