[Freeipa-users] keytab issue with service principal
sipazzo
sipazzo at yahoo.com
Tue Jun 30 19:50:30 UTC 2015
Thank you, I had tried it both ways with same results. Just misunderstood documentation I guess so tried the -S to try to force it to use the service keytab for authentication.
kinit -k -t /opt/oracle/admin/oracledb.keytab
kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials
Simo just responded that I had the command wrong. I re-ran it as he indicated and received a service ticket. Thank you both so much.
From: Alexander Bokovoy <abokovoy at redhat.com>
To: sipazzo <sipazzo at yahoo.com>
Cc: Freeipa-users <freeipa-users at redhat.com>
Sent: Tuesday, June 30, 2015 12:16 PM
Subject: Re: [Freeipa-users] keytab issue with service principal
----- Original Message -----
> I am trying to troubleshoot kerberos authentication for an oracle service
> (oracledb) and getting the following error when testing the service keytab
> on the database server (oracledbsrvr):
>
> oracle at oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S
> oracledb/oracledbsrvr.example.com
> kinit: Keytab contains no suitable keys for
> host/oracledbsrvr.example.com at EXAMPLE.COM while getting initial credentials
Remove -S option, just specify your oracledb/`hostname` principal.
With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with.
Which means "I want to obtain credentials to oracledb/`hostname` service, not krbtgt/EXAMPLE.COM at EXAMPLE.COM, but I'll be authenticating as host/`hostname` for that."
But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails.
Why did you choose to use -S option?
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150630/26e50611/attachment.htm>
More information about the Freeipa-users
mailing list