[Freeipa-users] Unable to authenticate a client user against IPA
Simo Sorce
ssorce at redhat.com
Fri Mar 11 00:48:50 UTC 2011
----- Original Message -----
> Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]]
> [sss_krb5_verify_keytab_ex] (0): Principal
> [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.AC
> .NZ] not found in keytab [default]
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
> Could not verify keytab
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
> (0): Error (14) in module (ipa) initialization (sssm_ipa_id
> _init)!
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
> (0): fatal error initializing data providers
> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
> initialize backend [14]
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]]
> [sss_krb5_verify_keytab_ex] (0): Principal
> [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.A
> C.NZ] not found in keytab [default]
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
> Could not verify keytab
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
> (0): Error (14) in module (ipa) initialization (sssm_ipa_id
> _init)!
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
> (0): fatal error initializing data providers
> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
> initialize backend [14]
> [root at Fed14-64-ipacl03 sssd]#
>
> ========================
> root at Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
> [root at Fed14-64-ipacl03 sssd]#
>
> ?
>
Caught Steven on IRC, this was a case of hostname being mixed case, which confuses kerberos libraries as they are case-sensitive and expect all lowercase names for hosts.
This would not have been a problem if sssd just used the first key in the keytab instead of trying to guess the principal name in advance. (Yeah being stingy, no pressure Stephen :-)
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
More information about the Freeipa-users
mailing list