[Freeipa-users] Cannot obtain CA Certificate

[Petr Spacek]

On 27.2.2013 11:34, Jan-Frode Myklebust wrote:
> On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:
>>>
>>>
>>> < HTTP/1.1 401 Authorization Required
>>> < Date: Tue, 26 Feb 2013 16:54:21 GMT
>>> < Server: Apache/2.2.15 (CentOS)
>>> * gss_init_sec_context() failed: : Server krbtgt/COM at EXAMPLE.COM not found in Kerberos database< WWW-Authenticate: Negotiate
>
> I have a similar problem getting a couple of RHEL 6.4 clients working
> with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
> ipa-client-install I get:
>
> 	* gss_init_sec_context() failed: : Request is a replay< WWW-Authenticate: Negotiate
This is very suspicious. Could you double check time on all servers and the 
client?

> I have a ticket opened with RH-support for this (00796525), so I hope
> to get it fixed that way soonish.. but -- one strange thing about my
> problem is that I can't even get sssd working if I do a manual
> enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
> ipa-getkeytab on the ipa-server, transferred the keytab, but still
> sssd fails to work. To get sssd working on this machine I had to
> configure an LDAP backend against the ipa-servers, without
> "ldap_sasl_mech=GSSAPI".
>
> Is there a simple way to verify that the hosts keytab is OK?
> "klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd
> like to test it against the ipa-server.

You can do kinit as host principal:

$ klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- ---------------------------------
    2 10/17/12 15:22:19 host/host.example.com at EXAMPLE.COM

$ kinit -kt /etc/krb5.keytab host/host.example.com at EXAMPLE.COM

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/host.example.com at EXAMPLE.COM

Valid starting     Expires            Service principal
02/27/13 11:45:02  02/28/13 11:45:02  krbtgt/EXAMPLE.COM at EXAMPLE.COM

-- 
Petr^2 Spacek