[Freeipa-users] Cannot obtain CA Certificate
Jan-Frode Myklebust
janfrode at tanso.net
Wed Feb 27 10:34:10 UTC 2013
On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:
> >
> >
> >< HTTP/1.1 401 Authorization Required
> >< Date: Tue, 26 Feb 2013 16:54:21 GMT
> >< Server: Apache/2.2.15 (CentOS)
> >* gss_init_sec_context() failed: : Server krbtgt/COM at EXAMPLE.COM not found in Kerberos database< WWW-Authenticate: Negotiate
I have a similar problem getting a couple of RHEL 6.4 clients working
with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
ipa-client-install I get:
* gss_init_sec_context() failed: : Request is a replay< WWW-Authenticate: Negotiate
I have a ticket opened with RH-support for this (00796525), so I hope
to get it fixed that way soonish.. but -- one strange thing about my
problem is that I can't even get sssd working if I do a manual
enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
ipa-getkeytab on the ipa-server, transferred the keytab, but still
sssd fails to work. To get sssd working on this machine I had to
configure an LDAP backend against the ipa-servers, without
"ldap_sasl_mech=GSSAPI".
Is there a simple way to verify that the hosts keytab is OK?
"klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd
like to test it against the ipa-server.
-jf
More information about the Freeipa-users
mailing list