Re: [Freeipa-users] keytab issue with service principal
Thank you so much, that was it - just a wrong command. Appreciate the help and quick response. From: Simo Sorce To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 12:39 PM Subject: Re: [Freeipa-users] keytab issue with service principal On Tue, 2015-06-30 at 19:34 +, sipazzo wrote: > Output of klist -kt is > KVNO Timestamp Principal > - > > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com > 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com From: >Simo Sorce > To: sipazzo > Cc: Freeipa-users > Sent: Tuesday, June 30, 2015 11:52 AM > Subject: Re: [Freeipa-users] keytab issue with service principal Then the command you want to run is: kinit -kt /opt/oracle/admin/oracledb.keytab oracledb/oracledbsrvr.example.com Note, no -S Simo. > On Tue, 2015-06-30 at 18:44 +, sipazzo wrote: > > > > I am trying to troubleshoot kerberos authentication for an oracle service > > (oracledb) and getting the following error when testing the service keytab > > on the database server (oracledbsrvr): > > oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > > oracledb/oracledbsrvr.example.com > > kinit: Keytab contains no suitable keys for > > host/oracledbsrvr.example@example.com while getting initial credentials > > > > > > When I use a client program like sqlplus on the database server connecting > > as a freeipa user with valid kerberos ticket it appears to work fine > > though. I cannot get it working from a remote client however. Is this > > error a red herring or should I be concerned about this? kvno and klist > > show same number. > > What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? > > Simo. > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
Thank you, I had tried it both ways with same results. Just misunderstood documentation I guess so tried the -S to try to force it to use the service keytab for authentication. kinit -k -t /opt/oracle/admin/oracledb.keytab kinit: Keytab contains no suitable keys for host/oracledbsrvr.example@example.com while getting initial credentials Simo just responded that I had the command wrong. I re-ran it as he indicated and received a service ticket. Thank you both so much. From: Alexander Bokovoy To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 12:16 PM Subject: Re: [Freeipa-users] keytab issue with service principal - Original Message - > I am trying to troubleshoot kerberos authentication for an oracle service > (oracledb) and getting the following error when testing the service keytab > on the database server (oracledbsrvr): > > oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for > host/oracledbsrvr.example@example.com while getting initial credentials Remove -S option, just specify your oracledb/`hostname` principal. With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with. Which means "I want to obtain credentials to oracledb/`hostname` service, not krbtgt/example@example.com, but I'll be authenticating as host/`hostname` for that." But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails. Why did you choose to use -S option? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
On Tue, 2015-06-30 at 19:34 +, sipazzo wrote: > Output of klist -kt is > KVNO Timestamp Principal > - > >2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com >2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com >2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com >2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com > From: Simo Sorce > To: sipazzo > Cc: Freeipa-users > Sent: Tuesday, June 30, 2015 11:52 AM > Subject: Re: [Freeipa-users] keytab issue with service principal Then the command you want to run is: kinit -kt /opt/oracle/admin/oracledb.keytab oracledb/oracledbsrvr.example.com Note, no -S Simo. > On Tue, 2015-06-30 at 18:44 +, sipazzo wrote: > > > > I am trying to troubleshoot kerberos authentication for an oracle service > > (oracledb) and getting the following error when testing the service keytab > > on the database server (oracledbsrvr): > > oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > > oracledb/oracledbsrvr.example.com > > kinit: Keytab contains no suitable keys for > > host/oracledbsrvr.example@example.com while getting initial credentials > > > > > > When I use a client program like sqlplus on the database server connecting > > as a freeipa user with valid kerberos ticket it appears to work fine > > though. I cannot get it working from a remote client however. Is this > > error a red herring or should I be concerned about this? kvno and klist > > show same number. > > What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? > > Simo. > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
Output of klist -kt is KVNO Timestamp Principal - 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com 2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com From: Simo Sorce To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 11:52 AM Subject: Re: [Freeipa-users] keytab issue with service principal On Tue, 2015-06-30 at 18:44 +, sipazzo wrote: > I am trying to troubleshoot kerberos authentication for an oracle service > (oracledb) and getting the following error when testing the service keytab on > the database server (oracledbsrvr): > oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for > host/oracledbsrvr.example@example.com while getting initial credentials > > > When I use a client program like sqlplus on the database server connecting as > a freeipa user with valid kerberos ticket it appears to work fine though. I > cannot get it working from a remote client however. Is this error a red > herring or should I be concerned about this? kvno and klist show same number. What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
- Original Message - > I am trying to troubleshoot kerberos authentication for an oracle service > (oracledb) and getting the following error when testing the service keytab > on the database server (oracledbsrvr): > > oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for > host/oracledbsrvr.example@example.com while getting initial credentials Remove -S option, just specify your oracledb/`hostname` principal. With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with. Which means "I want to obtain credentials to oracledb/`hostname` service, not krbtgt/example@example.com, but I'll be authenticating as host/`hostname` for that." But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails. Why did you choose to use -S option? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] keytab issue with service principal
On Tue, 2015-06-30 at 18:44 +, sipazzo wrote: > I am trying to troubleshoot kerberos authentication for an oracle service > (oracledb) and getting the following error when testing the service keytab on > the database server (oracledbsrvr): > oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S > oracledb/oracledbsrvr.example.com > kinit: Keytab contains no suitable keys for > host/oracledbsrvr.example@example.com while getting initial credentials > > > When I use a client program like sqlplus on the database server connecting as > a freeipa user with valid kerberos ticket it appears to work fine though. I > cannot get it working from a remote client however. Is this error a red > herring or should I be concerned about this? kvno and klist show same number. What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project