Hello, I apologize if this has been previously resolved. I am new to FreeIPA product. Our ops team has created a keytab (please kindly see below for the command used) on a Windows AD server. I copied the keytab file, along with the KDC and root-CA certificates to a RedHat Linux added a second REALM entry in the /etc/krb5.conf (per Google blogs recommendations) and and tried 'kinit' (please see the command used below). The cli response (error) is listed below and I appreciate guidance on the possible root causes and remedies. Thank you very much. -Chris
#----- Linux system configuration (the server where the keytab is placed for automation) -------------------------------------------------------- $ cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.3 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.3" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.3 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8.3:GA" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.3 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.3" #---- Windows AD server configuration (the server where the keytab is created) --------------------------------------------------------------- PS C:\temp> systeminfo Host Name: MGMT-062-AD OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Primary Domain Controller OS Build Type: Multiprocessor Free Registered Owner: EXAMPLE, Inc Registered Organization: EXAMPLE.COM Product ID: 00429-70000-00000-AA235 Original Install Date: 3/25/2020, 8:52:14 PM System Boot Time: 4/14/2021, 5:18:21 PM System Manufacturer: Xen System Model: HVM domU System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2600 Mhz BIOS Version: Xen 4.7<denied>, 12/14/2020 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-06:00) Central Time (US & Canada) Total Physical Memory: 16,380 MB Available Physical Memory: 12,006 MB Virtual Memory: Max Size: 18,812 MB Virtual Memory: Available: 14,772 MB Virtual Memory: In Use: 4,040 MB Page File Location(s): C:\pagefile.sys Domain: internal2.example.com Logon Server: \\MGMT-062-AD Hotfix(s): 16 Hotfix(s) Installed. [01]: KB4601558 [02]: KB4494174 [03]: KB4516115 [04]: KB4523204 [05]: KB4535680 [06]: KB4539571 [07]: KB4549947 [08]: KB4562562 [09]: KB4580325 [10]: KB4587735 [11]: KB4598480 [12]: KB4601393 [13]: KB5000859 [14]: KB5001404 [15]: KB5003243 [16]: KB5003171 Network Card(s): 1 NIC(s) Installed. [01]: XenServer PV Network Device Connection Name: Ethernet 2 DHCP Enabled: No IP address(es) [01]: 10.93.178.118 [02]: fe80::580:2a39:3c96:efa0 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. PS C:\temp> #----- Command used on Windows AD server (mgmt-062-ad) to create the keytab file --------------------------------------------------------------- C:/> ktpass -out ldap-ad-2.keytab -princ l...@mgmt-062-ad.internal2.example.com@INTERNAL2.EXAMPLE.COM +rndPass -mapUser l...@internal2.example.com -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL #------ Error message --------------------------------------------------------------- $ klist -kt ldap-ad-2.keytab Keytab name: FILE:ldap-ad-2.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 18 12/31/1969 18:00:00 l...@mgmt-062-ad.internal2.example.com\@INTERNAL2.EXAMPLE.COM #------ KRB5 Configuration File --------------------------------------------------------------- $ cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = INTERNAL.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] INTERNAL.EXAMPLE.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } INTERNAL2.EXAMPLE.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.DomainController.Cert.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.RootCA.Cert.pem } [domain_realm] .internal..example.com = INTERNAL.EXAMPLE.COM internal..example.com = INTERNAL.EXAMPLE.COM mgmt-027-auto.mgmt.internal..example.com = INTERNAL.EXAMPLE.COM .mgmt.internal..example.com = INTERNAL.EXAMPLE.COM mgmt.internal..example.com = INTERNAL.EXAMPLE.COM _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure