Ok, However I cant LDAP/Ipa authenticate still....on either client..........
So what next? regards Steven ________________________________________ From: Rob Crittenden [[email protected]] Sent: Thursday, 10 March 2011 10:47 a.m. To: Steven Jones Cc: [email protected] Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA Steven Jones wrote: > Hi, > > I have gone into the webgui and manually removed the no1 client/host, it > has now joined successfully... > > So Yes, the next issue.... > > regards > I'm going to try to consolidate a few things here from some other responses. * You do not need to pre-create the host in order to enroll it using kerberos credentials. It is ok if the host already exists but not absolutely required. * When a host is unenrolled it uses its own credentials (the service principal in /etc/krb5.keytab host/[email protected]) to authenticate to IPA and say "I'm done with these credentials." If you lack this principal it cannot authenticate to IPA to say "I'm done with these credentials." If a keytab was actually created for this host and the contents are lost then you will need to manually free it up for enrollment again either with: # ipa host-disable client.example.com or # ipa host-del client.example.com You can see if a keytab was issued with: # ipa host-show client.example.com Look for Keytab: True * Tickets 1028 and 1029 probably don't apply here. 1028 relates only to tracking SSL certificates and 1029 only applies if you used the --hostname option with ipa-client-install. * ipa-rmkeytab is client side only. It just removes the principals for a specific host or realm from a keytab file. It has no effect on the server at all. regards rob _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
