On 27.2.2013 11:34, Jan-Frode Myklebust wrote:
On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:
< HTTP/1.1 401 Authorization Required
< Date: Tue, 26 Feb 2013 16:54:21 GMT
< Server: Apache/2.2.15 (CentOS)
* gss_init_sec_context() failed: : Server krbtgt/[email protected] not found in
Kerberos database< WWW-Authenticate: Negotiate
I have a similar problem getting a couple of RHEL 6.4 clients working
with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
ipa-client-install I get:
* gss_init_sec_context() failed: : Request is a replay<
WWW-Authenticate: Negotiate
This is very suspicious. Could you double check time on all servers and the
client?
I have a ticket opened with RH-support for this (00796525), so I hope
to get it fixed that way soonish.. but -- one strange thing about my
problem is that I can't even get sssd working if I do a manual
enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
ipa-getkeytab on the ipa-server, transferred the keytab, but still
sssd fails to work. To get sssd working on this machine I had to
configure an LDAP backend against the ipa-servers, without
"ldap_sasl_mech=GSSAPI".
Is there a simple way to verify that the hosts keytab is OK?
"klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd
like to test it against the ipa-server.
You can do kinit as host principal:
$ klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- ---------------------------------
2 10/17/12 15:22:19 host/[email protected]
$ kinit -kt /etc/krb5.keytab host/[email protected]
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/[email protected]
Valid starting Expires Service principal
02/27/13 11:45:02 02/28/13 11:45:02 krbtgt/[email protected]
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
