On Fri, Feb 12, 2021 at 02:10:09PM -0000, Mike Conner via FreeIPA-users wrote:
I'm afraid I don't know how to construct the right ipa-getkeytab command to test. Do I run ipa-getkeytab on the client or on the ipa server? For the IPA$@DOMAIN.EDU principal?
Hi,
SSSD calls
KRB5CCNAME=/var/lib/sss/db/ccache_ipa.domain.edu /usr/sbin/ipa-getkeytab -r -s test.ipa.domain.edu -p 'IPA$@DOMAIN.EDU' -k /var/lib/sss/keytabs/domain.edu.keytab-test
I added '-test' to the keytab name to not overwrite the ones created by SSSD. The Kerberos credentail cache /var/lib/sss/db/ccache_ipa.domain.edu has the Kerberos TGT of the host account which should have the proper permissions to request a keytab.
HTH
bye, Sumit
I thought about STARTTLS pointing to a certificate issue. The certs on the ipa server are not expired:
getcert list | grep expires expires: 2022-06-18 21:28:39 UTC expires: 2022-05-24 03:14:46 UTC expires: 2022-05-24 03:15:16 UTC expires: 2022-05-24 03:14:56 UTC expires: 2038-07-11 18:11:01 UTC expires: 2022-05-24 03:14:38 UTC expires: 2022-08-01 03:40:17 UTC expires: 2022-06-15 03:14:35 UTC expires: 2022-06-15 03:14:50 UTC
Could it be an issue with an expired certificate on the AD end? Thank you! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure