Re: [Freeipa-users] Unable to authenticate a client user against IPA

Rob Crittenden Fri, 11 Mar 2011 06:53:10 -0800

Simo Sorce wrote:

----- Original Message -----

Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl03.ipa.ac...@ipa.ac
.NZ] not found in keytab [default]
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
(0): fatal error initializing data providers
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A
C.NZ] not found in keytab [default]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
(0): fatal error initializing data providers
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
[root@Fed14-64-ipacl03 sssd]#


========================
root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
[root@Fed14-64-ipacl03 sssd]#

?


Caught Steven on IRC, this was a case of hostname being mixed case, which 
confuses kerberos libraries as they are case-sensitive and expect all lowercase 
names for hosts.

This would not have been a problem if sssd just used the first key in the 
keytab instead of trying to guess the principal name in advance. (Yeah being 
stingy, no pressure Stephen :-)

Simo.

Simo, this probably explain why the keytab isn't disabled on the serverwhen he uninstalls the client. I'll make sure that gets tested as partof ticket 1080.


rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Reply via email to