[Freeipa-users] sasl binding failed when running ipa-getkeytab
Rob Crittenden
rcritten at redhat.com
Tue Sep 30 13:28:49 UTC 2008
Ivan Levchenko wrote:
> On Mon, Sep 29, 2008 at 5:55 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Did you have a kerberos ticket before running ipa-getkeytab? You need to do
>> a kinit before running this.
>
> Yes, I did kinit for admin, and klist shows that I have a ticket.
>
>> I'm not sure what you mean by "enter them manually" when logging on as an
>> ipa user.
>
> i.e. when i ssh to the box, it prompts me for a password and
> authenticates via pam (which checks against the ipa server), and i get
> logged in successfully using the user that is defined on the ipa
> server.
Log into which box? The IPA server or another server? If not the IPA
server, does this other server have a host service principal and has
sshd been restarted?
Using the -v argument with ssh will show you more details on what
authentication methods it is trying.
>> You will want to look on the IPA server in /var/log/krb5kdc.log and/or
>> /var/log/dirsrv/slapd-INSTANCE/error for more information.
> I was just tailing those two files while running the ipa-getkeytab
> command.. nothing....
> also checked any other even remotely relevant log files (messages,
> secure...) - nothing...
I'm not sure how that is possible. The error you reported from
ipa-getkeytab is returned if an LDAP GSSAPI bind to the IPA LDAP server
fails.
You can try a similar operation by doing something like:
% ldapsearch -Y GSSAPI -h ipa.freeipa.org -b "dc=freeipa,dc=org" uid=admin
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20080930/e1598cce/attachment.bin>
More information about the Freeipa-users
mailing list