[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
Petr Spacek
pspacek at redhat.com
Thu Dec 22 07:24:40 UTC 2016
On 21.12.2016 21:36, Brian J. Murrell wrote:
> Some additional information. I can't seem to use the CLI either.
> Perhaps that is expected:
>
> # kinit admin
> Password for admin at EXAMPLE.COM:
>
> # klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
> Default principal: admin at EXAMPLE.COM
>
> Valid starting Expires Service principal
> 21/12/16 15:29:20 22/12/16 15:29:17 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
> # ipa host-find
> ipa: ERROR: Insufficient access: Invalid credentials
>
> When I do that (the ipa host-find) /var/log/krb5kdc.log says:
>
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 1482352160, etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for HTTP/server.example.com at EXAMPLE.COM
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 1482352160, etypes {rep=18 tkt=18 ses=18}, HTTP/server.example.com at EXAMPLE.COM for ldap/server.example.com at EXAMPLE.COM
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM
> Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
>
> Not sure if that's helpful or not but it's something new (to me) so I
> thought I would add it to the case.
>
> Most unfortunately I need to access IPA to do some configuration
> changes so this is getting more unfortunate than just some errors in a
> log now. :-(
Yes, this will be manifestation of the same problem. Interestingly the LDAP
server should use the ds.keytab file instead of krb5.keytab.
We need someone from DS team of with deep Kerberos/gssproxy knowledge to look
into it.
Simo, Ludwig, how can this happen?
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list