> Got what new ticket? IPA provides its own tooling for managing keytabs, > ipa-getkeytab.
I kept saying ticket. I meant keytab. I used ktutil to get new keytab entries. > On another system you might try kvno to see what IPA thinks the principal > version should be with just kvno ldap/<hostname> On a client server, it says: root@cumulus etc $ kvno ldap/pacific.caps.int ldap/[email protected]: kvno = 2 which matches kvno = 2 on Pacific, the IPA server. root@pacific ~ $ kvno ldap/pacific.caps.int ldap/[email protected]: kvno = 2 > Is this your only IPA server? Yes, only IPA server is Pacific. Thanks, Bryan -----Original Message----- From: Rob Crittenden <[email protected]> Sent: Friday, July 19, 2024 7:32 AM To: [email protected]; 'FreeIPA users list' <[email protected]> Subject: Re: [Freeipa-users] GSSAPI authentication failure [email protected] wrote: > (Resending this email, files were too large) > > Sorry for the delayed reply. I was on vacation for a few days. > >> Please show us the KDC log when you are provoking a failure. > > I'm attaching the slapd access, slapd error, krb5kdb.log and kadmind.log. The > only thing of note I see in those logs is in the slapd access log: > > [11/Jul/2024:17:32:01.528294151 -0500] conn=57224 op=1 RESULT err=49 > tag=97 nentries=0 wtime=0.000076683 optime=0.265358256 > etime=0.265415438 - SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context > > which shows up often. > >> I'm not sure what ticket you're referring to, unless you mean a TGT. > > I think GSSAPI errors may be related to this ticket issue showing "keytab > entry invalid": > > root@pacific ~ $ klist -kte /etc/dirsrv/ds.keytab Keytab name: > FILE:/etc/dirsrv/ds.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 2 07/11/2024 18:54:19 ldap/[email protected] > (aes256-cts-hmac-sha1-96) > 2 07/11/2024 19:44:09 ldap/[email protected] > (aes128-cts-hmac-sha1-96) root@pacific ~ $ kvno -k > /etc/dirsrv/ds.keytab ldap/pacific.caps.int > ldap/[email protected]: kvno = 2, keytab entry invalid > kvno: Wrong principal in request while decrypting ticket for > ldap/[email protected] > > That's after I got a new ticket with ktutil. Got what new ticket? IPA provides its own tooling for managing keytabs, ipa-getkeytab. On another system you might try kvno to see what IPA thinks the principal version should be with just kvno ldap/<hostname> Is this your only IPA server? rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
