[Freeipa-users] GSSAPI Failure
Simo Sorce
ssorce at redhat.com
Fri Nov 14 14:33:00 UTC 2008
On Fri, 2008-11-14 at 17:11 +0300, Konstantin Kozlov wrote:
> Simo Sorce wrote:
> > On Fri, 2008-11-14 at 16:40 +0300, Konstantin Kozlov wrote:
> >> I tried to remove it with ktadmin.local but it didn't help. What is
> >> proper way to do that given that ipa-tools do not work?
> >
> > Use ldapdelete with Directory Manager credentials.
> > You have to remoce the one in cn=services, NOT the one in cn=kerberos.
> >
>
> I don't have it in ldap - only this under cn-kerberos:
>
>
>
> dn:
> krbprincipalname=ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU,cn=BIO.SPBCAS.R
> U,cn=kerberos,dc=bio,dc=spbcas,dc=ru
> krbTicketFlags: 0
> krbPrincipalName: ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU
> krbLastPwdChange: 20081114133612Z
> krbExtraData:: AALMfh1JYWRtaW4vYWRtaW5AQklPLlNQQkNBUy5SVQA=
> objectClass: krbprincipal
> objectClass: krbprincipalaux
> objectClass: krbTicketPolicyAux
> objectClass: top
> krbPasswordExpiration: 19700101000000Z
>
> I suppose its not that.
As a last resort you can generate a new secret using kadmin.local and
make sure it is stored in ds.keytab, then restart directory server.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list