[Freeipa-users] GSSAPI Failure
Simo Sorce
ssorce at redhat.com
Fri Nov 14 13:25:42 UTC 2008
On Fri, 2008-11-14 at 16:19 +0300, Konstantin Kozlov wrote:
> Simo Sorce wrote:
> > On Fri, 2008-11-14 at 09:04 +0300, Konstantin Kozlov wrote:
> >> NTP, DNS and DHCP are on another server, they were set up alot
> >> earlier
> >> and working.
> >>
> >> Does the ldapsearch error indicate that FDS fails and not IPA?
> >
> > No the failure means that the kdc used and the ldap keytab are not in
> > sync.
> >
> > Have you tried to manually create a keytab for
> > ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU by chance and/or trying to get
> > a keytab for this principal with ipa-getkeytab ?
> >
> > Simo.
> >
>
> Yes, I did that. Can it be the problem? Shoul I remove it? How?
Yes, you basically cleared the secret ldap has and didn't tell it.
You should *never* do that for the IPA server.
If you created that principal with ipa-addservice, remove it, we already
have a special entry in the kerberos part of the tree. That might be
enough, otherwise you will have to reset the key again and store the new
contents in the ds.keytab
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list