<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1435691009101_7533">Thank you, I had tried it both ways with same results. Just misunderstood documentation I guess so tried the -S to try to force it to use the service keytab for authentication.<br></div><div id="yui_3_16_0_1_1435691009101_7532"><br></div><div id="yui_3_16_0_1_1435691009101_7537" dir="ltr">kinit -k -t /opt/oracle/admin/oracledb.keytab<br class="">kinit: Keytab contains no suitable keys for host/oracledbsrvr.example.com@EXAMPLE.COM while getting initial credentials</div><div id="yui_3_16_0_1_1435691009101_10615" dir="ltr"><br></div><div id="yui_3_16_0_1_1435691009101_10642" dir="ltr">Simo just responded that I had the command wrong. I re-ran it as he indicated and received a service ticket. Thank you both so much.<br></div><div id="yui_3_16_0_1_1435691009101_10554" dir="ltr"><br></div><div id="yui_3_16_0_1_1435691009101_7492"><span></span></div><br>  <div id="yui_3_16_0_1_1435691009101_7495" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1435691009101_7494" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1435691009101_7493" dir="ltr"> <hr id="yui_3_16_0_1_1435691009101_7578" size="1">  <font id="yui_3_16_0_1_1435691009101_7538" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Alexander Bokovoy <abokovoy@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> sipazzo <sipazzo@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Freeipa-users <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, June 30, 2015 12:16 PM<br> <b id="yui_3_16_0_1_1435691009101_10601"><span id="yui_3_16_0_1_1435691009101_10600" style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] keytab issue with service principal<br> </font> </div> <div id="yui_3_16_0_1_1435691009101_7539" class="y_msg_container"><br><br clear="none"><div class="qtdSeparateBR"><br><br></div><div class="yqt3214461521" id="yqtfd50341"><br clear="none">----- Original Message -----<br clear="none">> I am trying to troubleshoot kerberos authentication for an oracle service<br clear="none">> (oracledb) and getting the following error when testing the service keytab<br clear="none">> on the database server (oracledbsrvr):<br clear="none">> <br clear="none">> <a id="yui_3_16_0_1_1435691009101_10538" shape="rect" ymailto="mailto:oracle@oracledbsrvr" href="mailto:oracle@oracledbsrvr">oracle@oracledbsrvr</a> ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S<br clear="none">> oracledb/oracledbsrvr.example.com<br clear="none">> kinit: Keytab contains no suitable keys for<br clear="none">> host/<a shape="rect" ymailto="mailto:oracledbsrvr.example.com@EXAMPLE.COM" href="mailto:oracledbsrvr.example.com@EXAMPLE.COM">oracledbsrvr.example.com@EXAMPLE.COM</a> while getting initial credentials</div><br clear="none">Remove -S option, just specify your oracledb/`hostname` principal.<br clear="none"><br clear="none">With -S option your oracledb/`hostname` principal is consumed by the -S option and then default principal is what you are authenticating with.<br clear="none">Which means "I want to obtain credentials to oracledb/`hostname` service, not krbtgt/<a shape="rect" ymailto="mailto:EXAMPLE.COM@EXAMPLE.COM" href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>, but I'll be authenticating as host/`hostname` for that."<br clear="none"><br clear="none">But when you are using host/`hostname`, your keytab is supposed to contain keys for this principal. kinit doesn't see them there and fails.<br clear="none"><br clear="none">Why did you choose to use -S option?<br clear="none">-- <br clear="none">/ Alexander Bokovoy<div class="yqt3214461521" id="yqtfd22963"><br clear="none"></div><br><br></div> </div> </div>  </div></body></html>