On pe, 12 helmi 2021, Mike Conner via FreeIPA-users wrote:
Thank you. I've run the following command on the broken client. In this instance 'ipa.ipa.domain.edu' is the IPA server. 'IPA$@DOMAIN.EDU' was used simply because it's what I saw in the logs.
KRB5CCNAME=/var/lib/sss/db/ccache_IPA.DOMAIN.EDU /usr/sbin/ipa-getkeytab -r -s ipa.ipa.domain.edu -p 'IPA$@DOMAIN.EDU' -k /var/lib/sss/keytabs/domain.edu.keytab-test
The result is: `Failed to load translations Failed to parse result: Insufficient access rights
Failed to get keytab`
This is expected behavior because you are running the command on a wrong host. 'IPA$DOMAIN.EDU' is a trusted domain object that is highly privileged as it represents whole IPA domain in view of a trusted Active Directory forest. Only IPA replicas with 'trust agent' or 'trust controller' roles have access to it. There is explicit ACIs set to allow such access only to host/... principals of those IPA replicas.
The command Sumit asked you to run should be ran on IPA master, not the client. E.g., on ipa.ipa.domain.edu.