Hi, On Sat, Jun 28, 2025 at 7:33 PM Felix O via FreeIPA-users < [email protected]> wrote:
> Hi again, > Further troubleshooting has not proven successful. I think that this is > partly caused by me not understanding what the No valid negotiate header > error actually means. Most sources point in the direction of keytabs, so I > suspect it has to do with LDAP/KDC communications? > > Also, when running getcert list, the following shows up at the top. > However, I don't know if this is caused by the other errors, or causing > them? > Request ID '20210520194638': > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client > using default keytab: Cannot contact any KDC for requested realm. > This error suggests that the kerberos server is not running. What is the output of *ipactl status* ? Can you run *kdestroy -A; kinit -kt **/etc/krb5.keytab host/`hostname`* flo > > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=COMPANY.COM > subject: CN=ipa.company.com,O=COMPANY.COM > issued: 2025-06-09 11:07:31 UTC > expires: 2027-06-10 11:07:31 UTC > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > The other certificates listed are all valid and shows as MONITORING. This > failing(?) certificate also shows up when running ipa-getcert list. > If it's helpful, the instance is running in a CentOS 9 container. > > Felix > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
