Simo Sorce wrote:
----- Original Message -----
Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl03.ipa.ac...@ipa.ac
.NZ] not found in keytab [default]
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
(0): fatal error initializing data providers
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A
C.NZ] not found in keytab [default]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
(0): fatal error initializing data providers
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
[root@Fed14-64-ipacl03 sssd]#
========================
root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
[root@Fed14-64-ipacl03 sssd]#
?
Caught Steven on IRC, this was a case of hostname being mixed case, which
confuses kerberos libraries as they are case-sensitive and expect all lowercase
names for hosts.
This would not have been a problem if sssd just used the first key in the
keytab instead of trying to guess the principal name in advance. (Yeah being
stingy, no pressure Stephen :-)
Simo.
Simo, this probably explain why the keytab isn't disabled on the server
when he uninstalls the client. I'll make sure that gets tested as part
of ticket 1080.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users