I'm afraid I don't know how to construct the right ipa-getkeytab command to test.
Do I run ipa-getkeytab on the client or on the ipa server? For the IPA$(a)DOMAIN.EDU
principal?
I thought about STARTTLS pointing to a certificate issue. The certs on the ipa server are
not expired:
getcert list | grep expires
expires: 2022-06-18 21:28:39 UTC
expires: 2022-05-24 03:14:46 UTC
expires: 2022-05-24 03:15:16 UTC
expires: 2022-05-24 03:14:56 UTC
expires: 2038-07-11 18:11:01 UTC
expires: 2022-05-24 03:14:38 UTC
expires: 2022-08-01 03:40:17 UTC
expires: 2022-06-15 03:14:35 UTC
expires: 2022-06-15 03:14:50 UTC
Could it be an issue with an expired certificate on the AD end?
Thank you!