Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Simo Sorce]

----- Original Message -----
> Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]]
> [sss_krb5_verify_keytab_ex] (0): Principal
> [host/fed14-64-ipacl03.ipa.ac...@ipa.ac
> .NZ] not found in keytab [default]
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
> Could not verify keytab
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
> (0): Error (14) in module (ipa) initialization (sssm_ipa_id
> _init)!
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
> (0): fatal error initializing data providers
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
> initialize backend [14]
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]]
> [sss_krb5_verify_keytab_ex] (0): Principal
> [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A
> C.NZ] not found in keytab [default]
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
> Could not verify keytab
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
> (0): Error (14) in module (ipa) initialization (sssm_ipa_id
> _init)!
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
> (0): fatal error initializing data providers
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
> initialize backend [14]
> [root@Fed14-64-ipacl03 sssd]#
> 
> ========================
> root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
> 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
> 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
> 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
> [root@Fed14-64-ipacl03 sssd]#
> 
> ?
> 

Caught Steven on IRC, this was a case of hostname being mixed case, which 
confuses kerberos libraries as they are case-sensitive and expect all lowercase 
names for hosts.

This would not have been a problem if sssd just used the first key in the 
keytab instead of trying to guess the principal name in advance. (Yeah being 
stingy, no pressure Stephen :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc. * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users