[Freeipa-users] GSSAPI Failure

Konstantin Kozlov kozlov at spbcas.ru
Fri Nov 14 13:40:01 UTC 2008


Simo Sorce wrote:
> On Fri, 2008-11-14 at 16:19 +0300, Konstantin Kozlov wrote:
>> Simo Sorce wrote:
>>> On Fri, 2008-11-14 at 09:04 +0300, Konstantin Kozlov wrote:
>>>> NTP, DNS and DHCP are on another server, they were set up alot
>>>> earlier 
>>>> and working.
>>>>
>>>> Does the ldapsearch error indicate that FDS fails and not IPA?
>>> No the failure means that the kdc used and the ldap keytab are not in
>>> sync.
>>>
>>> Have you tried to manually create a keytab for
>>> ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU by chance and/or trying to get
>>> a keytab for this principal with ipa-getkeytab ?
>>>
>>> Simo.
>>>
>> Yes, I did that. Can it be the problem? Shoul I remove it? How?
> 
> Yes, you basically cleared the secret ldap has and didn't tell it.
> You should *never* do that for the IPA server.
> 

OK, I got it. Can it be put in some place on documentation part of ipa 
project?

> If you created that principal with ipa-addservice, remove it, we already
> have a special entry in the kerberos part of the tree. That might be
> enough, otherwise you will have to reset the key again and store the new
> contents in the ds.keytab
> 

I tried to remove it with ktadmin.local but it didn't help. What is 
proper way to do that given that ipa-tools do not work?

Kostya




More information about the Freeipa-users mailing list