On pe, 12 helmi 2021, Mike Conner via FreeIPA-users wrote:
Thank you. I've run the following command on the broken client. In
this
instance 'ipa.ipa.domain.edu' is the IPA server. 'IPA$(a)DOMAIN.EDU' was
used simply because it's what I saw in the logs.
KRB5CCNAME=/var/lib/sss/db/ccache_IPA.DOMAIN.EDU /usr/sbin/ipa-getkeytab -r -s
ipa.ipa.domain.edu -p 'IPA$(a)DOMAIN.EDU' -k
/var/lib/sss/keytabs/domain.edu.keytab-test
The result is:
`Failed to load translations
Failed to parse result: Insufficient access rights
Failed to get keytab`
This is expected behavior because you are running the command on a wrong
host. 'IPA$DOMAIN.EDU' is a trusted domain object that is highly
privileged as it represents whole IPA domain in view of a trusted Active
Directory forest. Only IPA replicas with 'trust agent' or 'trust
controller' roles have access to it. There is explicit ACIs set to allow
such access only to host/... principals of those IPA replicas.
The command Sumit asked you to run should be ran on IPA master, not the
client. E.g., on
ipa.ipa.domain.edu.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland