<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px">Thank you so much, that was it - just a wrong command. Appreciate the help and quick response.<br><div id="yui_3_16_0_1_1435691009101_12183"><span></span></div><br>  <div id="yui_3_16_0_1_1435691009101_12176" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1435691009101_12175" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1435691009101_12174" dir="ltr"> <hr size="1">  <font id="yui_3_16_0_1_1435691009101_12173" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Simo Sorce <simo@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> sipazzo <sipazzo@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Freeipa-users <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, June 30, 2015 12:39 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] keytab issue with service principal<br> </font> </div> <div id="yui_3_16_0_1_1435691009101_12177" class="y_msg_container"><br>On Tue, 2015-06-30 at 19:34 +0000, sipazzo wrote:<br clear="none">> Output of klist -kt is <br clear="none">> KVNO Timestamp         Principal<br clear="none">> ---- ----------------- --------------------------------------------------------<br clear="none">>    2 06/30/15 17:12:13 oracledb/<a id="yui_3_16_0_1_1435691009101_12182" shape="rect" ymailto="mailto:oracledbsrvr.example.com@EXAMPLE.COM" href="mailto:oracledbsrvr.example.com@EXAMPLE.COM">oracledbsrvr.example.com@EXAMPLE.COM</a><br clear="none">>    2 06/30/15 17:12:13 oracledb/<a shape="rect" ymailto="mailto:oracledbsrvr.example.com@EXAMPLE.COM" href="mailto:oracledbsrvr.example.com@EXAMPLE.COM">oracledbsrvr.example.com@EXAMPLE.COM</a><br clear="none">>    2 06/30/15 17:12:13 oracledb/<a shape="rect" ymailto="mailto:oracledbsrvr.example.com@EXAMPLE.COM" href="mailto:oracledbsrvr.example.com@EXAMPLE.COM">oracledbsrvr.example.com@EXAMPLE.COM</a><br clear="none">>    2 06/30/15 17:12:13 oracledb/<a shape="rect" ymailto="mailto:oracledbsrvr.example.com@EXAMPLE.COM" href="mailto:oracledbsrvr.example.com@EXAMPLE.COM">oracledbsrvr.example.com@EXAMPLE.COM</a>     From: Simo Sorce <<a shape="rect" ymailto="mailto:simo@redhat.com" href="mailto:simo@redhat.com">simo@redhat.com</a>><br clear="none">>  To: sipazzo <<a id="yui_3_16_0_1_1435691009101_12181" shape="rect" ymailto="mailto:sipazzo@yahoo.com" href="mailto:sipazzo@yahoo.com">sipazzo@yahoo.com</a>> <br clear="none">> Cc: Freeipa-users <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> <br clear="none">>  Sent: Tuesday, June 30, 2015 11:52 AM<br clear="none">>  Subject: Re: [Freeipa-users] keytab issue with service principal<br clear="none"><br clear="none">Then the command you want to run is:<br clear="none">kinit -kt /opt/oracle/admin/oracledb.keytab oracledb/oracledbsrvr.example.com<br clear="none"><br clear="none">Note, no -S<div class="qtdSeparateBR"><br><br></div><div class="yqt6671997494" id="yqtfd21577"><br clear="none"><br clear="none">Simo.<br clear="none"><br clear="none">> On Tue, 2015-06-30 at 18:44 +0000, sipazzo wrote:<br clear="none">> <br clear="none">> <br clear="none">> > I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr):<br clear="none">> > <a shape="rect" ymailto="mailto:oracle@oracledbsrvr" href="mailto:oracle@oracledbsrvr">oracle@oracledbsrvr</a> ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com<br clear="none">> > kinit: Keytab contains no suitable keys for host/<a shape="rect" ymailto="mailto:oracledbsrvr.example.com@EXAMPLE.COM" href="mailto:oracledbsrvr.example.com@EXAMPLE.COM">oracledbsrvr.example.com@EXAMPLE.COM</a> while getting initial credentials<br clear="none">> > <br clear="none">> > <br clear="none">> > When I use a client program like sqlplus on the database server connecting as a freeipa user with valid kerberos ticket it appears to work fine though. I cannot get it working from a remote client however.  Is this error a red herring or should I be concerned about this? kvno and klist show same number.<br clear="none">> <br clear="none">> What's the output of klist -kt /opt/oracle/admin/oracledb.keytab ?<br clear="none">> <br clear="none">> Simo.<br clear="none">> <br clear="none"><br clear="none"><br clear="none">-- <br clear="none">Simo Sorce * Red Hat, Inc * New York<br clear="none"><br clear="none"></div><br><br></div> </div> </div>  </div></body></html>