Hello,

 

IPA version 4.6.8.

 

Got a host that doesn’t allow user logins, but was joined at some point to the domain.

Everything that I can think of to check appears to be working

                Log into client system with local credentials

                Logs show invalid user attempts

Client Keytab looks valid…..do these ever expire?

                                Ktutil

                                                read_kt /etc/krb5.keytab

                                                list

                                                                Shows the host/hostname.domain

                                                Quit

                Cannot ‘id admin’ or ‘id’ any other user

                Can obtain Kerberos keys for admin

                Can run ipa user-show for any user

                System appears valid in idmweb gui

               

What did I miss?

                Get a new keytab for the client with ipa-getkeytab?

                Is there some server/client certs I should be checking?

 

Thanks!

 

David Patterson