[Freeipa-users] sasl binding failed when running ipa-getkeytab
puck at i29.net
puck at i29.net
Tue Oct 7 22:03:00 UTC 2008
I had this same issue and eventually figured out I'd installed the
x86_64 version of ipa_client but the i386 version of cyrus-sasl-gssapi.
You can check this by issuing the following command:
/rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n"|grep gss/
Hopefully that helps!
Jem
Ivan Levchenko wrote:
On Mon, Sep 29, 2008 at 5:55 PM, Rob Crittenden <rcritten redhat com> wrote:
Did you have a kerberos ticket before running ipa-getkeytab? You need to do
a kinit before running this.
Yes, I did kinit for admin, and klist shows that I have a ticket.
I'm not sure what you mean by "enter them manually" when logging on as an
ipa user.
i.e. when i ssh to the box, it prompts me for a password and
authenticates via pam (which checks against the ipa server), and i get
logged in successfully using the user that is defined on the ipa
server.
Log into which box? The IPA server or another server? If not the IPA
server, does this other server have a host service principal and has
sshd been restarted? Using the -v argument with ssh will show you more
details on what authentication methods it is trying.
You will want to look on the IPA server in /var/log/krb5kdc.log and/or
/var/log/dirsrv/slapd-INSTANCE/error for more information.
I was just tailing those two files while running the ipa-getkeytab
command.. nothing....
also checked any other even remotely relevant log files (messages,
secure...) - nothing...
I'm not sure how that is possible. The error you reported from
ipa-getkeytab is returned if an LDAP GSSAPI bind to the IPA LDAP server
fails.
You can try a similar operation by doing something like:
% ldapsearch -Y GSSAPI -h ipa.freeipa.org -b "dc=freeipa,dc=org" uid=admin
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20081007/aee7c630/attachment.htm>
More information about the Freeipa-users
mailing list