[Freeipa-users] Unable to authenticate a client user against IPA
Rob Crittenden
rcritten at redhat.com
Wed Mar 9 21:47:28 UTC 2011
Steven Jones wrote:
> Hi,
>
> I have gone into the webgui and manually removed the no1 client/host, it
> has now joined successfully...
>
> So Yes, the next issue....
>
> regards
>
I'm going to try to consolidate a few things here from some other responses.
* You do not need to pre-create the host in order to enroll it using
kerberos credentials. It is ok if the host already exists but not
absolutely required.
* When a host is unenrolled it uses its own credentials (the service
principal in /etc/krb5.keytab host/client.example.com at EXAMPLE.COM) to
authenticate to IPA and say "I'm done with these credentials." If you
lack this principal it cannot authenticate to IPA to say "I'm done with
these credentials." If a keytab was actually created for this host and
the contents are lost then you will need to manually free it up for
enrollment again either with:
# ipa host-disable client.example.com
or
# ipa host-del client.example.com
You can see if a keytab was issued with:
# ipa host-show client.example.com
Look for Keytab: True
* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to
tracking SSL certificates and 1029 only applies if you used the
--hostname option with ipa-client-install.
* ipa-rmkeytab is client side only. It just removes the principals for a
specific host or realm from a keytab file. It has no effect on the
server at all.
regards
rob
More information about the Freeipa-users
mailing list