Andrew Meyer wrote:
> my host is asm-dns01.meyer.local
That didn't answer the question. The question was which host is an IPA
master?
The -s argument of ipa-getkeytab should be an IPA master. Near as I can
tell you used the host you want to generate the keytab for and not an
IPA master.
rob
>
>
> On Monday, November 20, 2017 4:57 PM, Rob Crittenden
> <
rcritten@redhat.com> wrote:
>
>
> Andrew Meyer wrote:
>> [
andrew.meyer@asm-rancid02 <mailto:
andrew.meyer@asm-rancid02> ~]$
> ldapsearch -LL -x -ZZ -H
>> ldap://asm-dns01.meyer.local -b '' -s base vendorName
>> version: 1
>>
>> dn:
>> vendorName: 389 Project
>>
>> [
andrew.meyer@asm-rancid02 <mailto:
andrew.meyer@asm-rancid02> ~]$
>>
>> [
andrew.meyer@asm-rancid02 <mailto:
andrew.meyer@asm-rancid02> ~]$
> ipa-getkeytab -p
>> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
>> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Retrying with pre-4.0 keytab retrieval method...
>> Unable to initialize STARTTLS session
>> Failed to bind to server!
>> Failed to get keytab
>> [
andrew.meyer@asm-rancid02 <mailto:
andrew.meyer@asm-rancid02> ~]$
>
> What host is your IPA server? You used asm-dns01.meyer.local for the
> LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.
>
> rob
>
>>
>>
>>
>> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
>> <
rcritten@redhat.com <mailto:
rcritten@redhat.com>> wrote:
>>
>>
>> Robbie Harwood via FreeIPA-users wrote:
>>
>>> Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> <mailto:
freeipa-users@lists.fedorahosted.org>
>> <mailto:
freeipa-users@lists.fedorahosted.org> <mailto:
freeipa-users@lists.fedorahosted.org>>>
>>> writes:
>>>
>>>> [
root@asm-rancid02 <mailto:
root@asm-rancid02>
> <mailto:
root@asm-rancid02 <mailto:
root@asm-rancid02>> keytabs]#
> ipa-getkeytab
>> -s asm-rancid02.mgt.asm.borg.local. -p
>> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>>>> Unable to initialize STARTTLS session
>>>> Failed to bind to server!
>>>> Retrying with pre-4.0 keytab retrieval method...
>>>> Unable to initialize STARTTLS session
>>>> Failed to bind to server!
>>>> Failed to get keytab
>>>> [
root@asm-rancid02 <mailto:
root@asm-rancid02>
> <mailto:
root@asm-rancid02 <mailto:
root@asm-rancid02>> keytabs]#
>
>>>>
>>>> Do I need to generate a keytab first? Should this be generated when I
>>>> add the server to the domain/realm?
>>>
>>> This looks like it wasn't able to connect properly, so it hasn't reached
>>> the point where Kerberos is involved.
>>>
>>> Keytabs are generated when the machine is enrolled in the realm.
>>
>>
>> The host keytab is generated by ipa-clinet-install. Service keytabs need
>> to be retrieved separately using ipa-getkeytab.
>>
>> It's strange that the starttls is failing. The 389-ds access log may
>> have some information on the connection failure.
>>
>> To exercise it you can do something like:
>>
>> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base vendorName
>>
>> rob
>>
>>
>>
>
>
>
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org