Hello,
I apologize if this has been previously resolved. I am new to FreeIPA product. Our ops
team has created a keytab (please kindly see below for the command used)
on a Windows AD server. I copied the keytab file, along with the KDC and root-CA
certificates to a RedHat Linux
added a second REALM entry in the /etc/krb5.conf (per Google blogs recommendations) and
and tried 'kinit' (please
see the command used below).
The cli response (error) is listed below and I appreciate guidance on the possible root
causes and remedies.
Thank you very much.
-Chris
#----- Linux system configuration (the server where the keytab is placed for automation)
--------------------------------------------------------
$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.3 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.3"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.3 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.3:GA"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.3
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.3"
#---- Windows AD server configuration (the server where the keytab is created)
---------------------------------------------------------------
PS C:\temp> systeminfo
Host Name: MGMT-062-AD
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: EXAMPLE, Inc
Registered Organization:
EXAMPLE.COM
Product ID: 00429-70000-00000-AA235
Original Install Date: 3/25/2020, 8:52:14 PM
System Boot Time: 4/14/2021, 5:18:21 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2600
Mhz
BIOS Version: Xen 4.7<denied>, 12/14/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 16,380 MB
Available Physical Memory: 12,006 MB
Virtual Memory: Max Size: 18,812 MB
Virtual Memory: Available: 14,772 MB
Virtual Memory: In Use: 4,040 MB
Page File Location(s): C:\pagefile.sys
Domain:
internal2.example.com
Logon Server: \\MGMT-062-AD
Hotfix(s): 16 Hotfix(s) Installed.
[01]: KB4601558
[02]: KB4494174
[03]: KB4516115
[04]: KB4523204
[05]: KB4535680
[06]: KB4539571
[07]: KB4549947
[08]: KB4562562
[09]: KB4580325
[10]: KB4587735
[11]: KB4598480
[12]: KB4601393
[13]: KB5000859
[14]: KB5001404
[15]: KB5003243
[16]: KB5003171
Network Card(s): 1 NIC(s) Installed.
[01]: XenServer PV Network Device
Connection Name: Ethernet 2
DHCP Enabled: No
IP address(es)
[01]: 10.93.178.118
[02]: fe80::580:2a39:3c96:efa0
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V
will not be displayed.
PS C:\temp>
#----- Command used on Windows AD server (mgmt-062-ad) to create the keytab file
---------------------------------------------------------------
C:/> ktpass -out ldap-ad-2.keytab -princ
ldap@mgmt-062-ad.internal2.example.com(a)INTERNAL2.EXAMPLE.COM +rndPass -mapUser
ldap(a)INTERNAL2.EXAMPLE.COM -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL
#------ Error message ---------------------------------------------------------------
$ klist -kt ldap-ad-2.keytab
Keytab name: FILE:ldap-ad-2.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
18 12/31/1969 18:00:00 ldap@mgmt-062-ad.internal2.example.com\(a)INTERNAL2.EXAMPLE.COM
#------ KRB5 Configuration File
---------------------------------------------------------------
$ cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
INTERNAL.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
INTERNAL.EXAMPLE.COM = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
INTERNAL2.EXAMPLE.COM = {
pkinit_anchors =
FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.DomainController.Cert.pem
pkinit_pool =
FILE:/var/lib/ipa-client/pki/mgmt-062-ad.internal2..example.com.RootCA.Cert.pem
}
[domain_realm]
.internal..example.com =
INTERNAL.EXAMPLE.COM
internal..example.com =
INTERNAL.EXAMPLE.COM
mgmt-027-auto.mgmt.internal..example.com =
INTERNAL.EXAMPLE.COM
.mgmt.internal..example.com =
INTERNAL.EXAMPLE.COM
mgmt.internal..example.com =
INTERNAL.EXAMPLE.COM