[Freeipa-users] Unable to authenticate a client user against IPA
Rob Crittenden
rcritten at redhat.com
Fri Mar 11 14:49:36 UTC 2011
Simo Sorce wrote:
> ----- Original Message -----
>> Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]]
>> [sss_krb5_verify_keytab_ex] (0): Principal
>> [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.AC
>> .NZ] not found in keytab [default]
>> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
>> Could not verify keytab
>> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
>> (0): Error (14) in module (ipa) initialization (sssm_ipa_id
>> _init)!
>> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
>> (0): fatal error initializing data providers
>> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
>> initialize backend [14]
>> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]]
>> [sss_krb5_verify_keytab_ex] (0): Principal
>> [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.A
>> C.NZ] not found in keytab [default]
>> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
>> Could not verify keytab
>> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
>> (0): Error (14) in module (ipa) initialization (sssm_ipa_id
>> _init)!
>> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
>> (0): fatal error initializing data providers
>> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
>> initialize backend [14]
>> [root at Fed14-64-ipacl03 sssd]#
>>
>> ========================
>> root at Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
>> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
>> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
>> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ
>> [root at Fed14-64-ipacl03 sssd]#
>>
>> ?
>>
>
> Caught Steven on IRC, this was a case of hostname being mixed case, which confuses kerberos libraries as they are case-sensitive and expect all lowercase names for hosts.
>
> This would not have been a problem if sssd just used the first key in the keytab instead of trying to guess the principal name in advance. (Yeah being stingy, no pressure Stephen :-)
>
> Simo.
>
Simo, this probably explain why the keytab isn't disabled on the server
when he uninstalls the client. I'll make sure that gets tested as part
of ticket 1080.
rob
More information about the Freeipa-users
mailing list