[Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Ok,

However I cant LDAP/Ipa authenticate still....on either client..........

So what next?

regards

Steven
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 10 March 2011 10:47 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote:
> Hi,
>
> I have gone into the webgui and manually removed the no1 client/host, it
> has now joined successfully...
>
> So Yes, the next issue....
>
> regards
>

I'm going to try to consolidate a few things here from some other responses.

* You do not need to pre-create the host in order to enroll it using
kerberos credentials. It is ok if the host already exists but not
absolutely required.

* When a host is unenrolled it uses its own credentials (the service
principal in /etc/krb5.keytab host/client.example.com at EXAMPLE.COM) to
authenticate to IPA and say "I'm done with these credentials." If you
lack this principal it cannot authenticate to IPA to say "I'm done with
these credentials." If a keytab was actually created for this host and
the contents are lost then you will need to manually free it up for
enrollment again either with:

# ipa host-disable client.example.com

or

# ipa host-del client.example.com

You can see if a keytab was issued with:

# ipa host-show client.example.com

Look for Keytab: True

* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to
tracking SSL certificates and 1029 only applies if you used the
--hostname option with ipa-client-install.

* ipa-rmkeytab is client side only. It just removes the principals for a
specific host or realm from a keytab file. It has no effect on the
server at all.

regards

rob