Alexander, I followed your instructions and ran into a problem.
These commands went as described: $ ipa service-add api-requester/`hostname` $ ipa service-allow-retrieve-keytab api-requester/`hostname` --users=me $ ipa service-allow-create-keytab api-requester/`hostname` --users=me $ ipa-getkeytab -Y GSSAPI -k api-requester.keytab -p api-requester/`me` $ KRB5_CLIENT_KTNAME=./api-requester.keytab KRB5CCNAME=./api.ccache ipa console (Custom IPA interactive Python console) api: IPA API object pp: pretty printer api.Command.whoami() {'object': 'service', 'command': 'service_show/1', 'arguments': ('api-requester/some-host.example....@example.com',)} HOWEVER, when I tried this: api.Command.service_show('api-requester/some-host.example....@example.com') I got this error: Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 471, in __do_call params = self.convert(**params) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in convert (k, self.params[k].convert(v)) for (k, v) in kw.items() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in <genexpr> (k, self.params[k].convert(v)) for (k, v) in kw.items() File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 852, in convert return convert(value) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 839, in convert return self._convert_scalar(value) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 2152, in _convert_scalar return super(Principal, self)._convert_scalar(value) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 862, in _convert_scalar raise ConversionError(name=self.name, error=ugettext(self.type_error)) ConversionError: invalid 'krbcanonicalname': must be Kerberos principal The argument I used in the "service_show" is identical to the argument returned from the "whoami" command. What is even stranger, If I exit the console and try : api.Command.ipa service-show api-requester/some-host.example....@example.com I get the expected response. I ran this on a CentOS 7 IPA client v4.6.5-11.el7.centos.3.x86_64 The server is RHEL 7, IPA/RH-IdM server v4.6.5-11.el7_7.3.x86_64 Any ideas ?
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org