no dice.... [root@aisffcgi08 ~]# kinit admin Password for ad...@ipa.x.org:
[root@aisffcgi08 ~]# ipa-getkeytab -s ipasrv01.ipa.x.org -k /etc/krb5.keytab -p host/ipasrv01.ipa.x.org Keytab successfully retrieved and stored in: /etc/krb5.keytab [root@aisffcgi08 ~]# klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 08/30/2019 13:06:14 host/aisffcgi08.x....@ipa.x.org (aes256-cts-hmac-sha1-96) 1 08/30/2019 13:06:14 host/aisffcgi08.x....@ipa.x.org (aes128-cts-hmac-sha1-96) 1 08/30/2019 13:06:14 host/aisffcgi08.x....@ipa.x.org (aes256-cts-hmac-sha384-192) 1 08/30/2019 13:06:14 host/aisffcgi08.x....@ipa.x.org (aes128-cts-hmac-sha256-128) 1 08/30/2019 13:06:14 host/aisffcgi08.x....@ipa.x.org (des3-cbc-sha1) 1 08/30/2019 13:06:14 host/aisffcgi08.x....@ipa.x.org (arcfour-hmac) 3 01/16/2020 10:49:51 host/ipasrv01.ipa.x....@ipa.x.org (aes256-cts-hmac-sha1-96) 3 01/16/2020 10:49:51 host/ipasrv01.ipa.x....@ipa.x.org (aes128-cts-hmac-sha1-96) 4 01/16/2020 10:52:10 host/ipasrv01.ipa.x....@ipa.x.org (aes256-cts-hmac-sha1-96) 4 01/16/2020 10:52:10 host/ipasrv01.ipa.x....@ipa.x.org (aes128-cts-hmac-sha1-96) [root@ipasrv01 ~]# kvno -S host ipasrv01.ipa.x.org host/ipasrv01.ipa.x....@ipa.x.org: kvno = 2 Why does the klist command show KVNO of 3 and 4 for ipasrv01? Where is it getting that from? Jan 16 11:06:28 aisffcgi08 [sssd[ldap_child[58885]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection At least in my case, the error did not go away. I suspect I can just remove it as an IPA client and then add it back, but was trying to understand if there was a less extreme way to resolve this, and why it occurred in the first place. Amos
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
