[Freeipa-users] Cannot obtain CA Certificate

Rob Crittenden rcritten at redhat.com
Wed Feb 27 16:43:16 UTC 2013 

Petr Spacek wrote:
> On 27.2.2013 11:34, Jan-Frode Myklebust wrote:
>> On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote:
>>>>
>>>>
>>>> < HTTP/1.1 401 Authorization Required
>>>> < Date: Tue, 26 Feb 2013 16:54:21 GMT
>>>> < Server: Apache/2.2.15 (CentOS)
>>>> * gss_init_sec_context() failed: : Server krbtgt/COM at EXAMPLE.COM not
>>>> found in Kerberos database< WWW-Authenticate: Negotiate
>>
>> I have a similar problem getting a couple of RHEL 6.4 clients working
>> with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
>> ipa-client-install I get:
>>
>>     * gss_init_sec_context() failed: : Request is a replay<
>> WWW-Authenticate: Negotiate
> This is very suspicious. Could you double check time on all servers and
> the client?
>
>> I have a ticket opened with RH-support for this (00796525), so I hope
>> to get it fixed that way soonish.. but -- one strange thing about my
>> problem is that I can't even get sssd working if I do a manual
>> enrollment. I've tried doing ipa host-add, ipa host-add-managedby,
>> ipa-getkeytab on the ipa-server, transferred the keytab, but still
>> sssd fails to work. To get sssd working on this machine I had to
>> configure an LDAP backend against the ipa-servers, without
>> "ldap_sasl_mech=GSSAPI".
>>
>> Is there a simple way to verify that the hosts keytab is OK?
>> "klist -k -t -K FILE:/etc/krb5.keytab" works fine, but I'd
>> like to test it against the ipa-server.
>
> You can do kinit as host principal:
>
> $ klist -kt /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- ---------------------------------
>     2 10/17/12 15:22:19 host/host.example.com at EXAMPLE.COM
>
> $ kinit -kt /etc/krb5.keytab host/host.example.com at EXAMPLE.COM
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/host.example.com at EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 02/27/13 11:45:02  02/28/13 11:45:02  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>

You can use kvno to see what the KDC things the version number should 
be, to compare to what is in the keytab.

rob

More information about the Freeipa-users mailing list