Patterson, David via FreeIPA-users wrote:
Hello,
Â
IPA version 4.6.8.
Â
Got a host that doesnât allow user logins, but was joined at some point
to the domain.
Everything that I can think of to check appears to be working
               Log into client system with local credentials
               Logs show invalid user attempts
Client Keytab looks validâ¦..do these ever expire?
                              Ktutil
                                              Â
read_kt /etc/krb5.keytab
                                              Â
list
                                                              Â
Shows
the host/hostname.domain
                                              Â
Quit
               Cannot âid adminâ or âidâ any other user
               Can obtain Kerberos keys for admin
               Can run ipa user-show for any user
               System appears valid in idmweb gui
              Â
What did I miss?
               Get a new keytab for the client with ipa-getkeytab?
Maybe...
               Is there some server/client certs I should be checking?
No.
I'd start with, as root, kinit -kt /etc/krb5.keytab
That will tell you if the keytab is ok. You can also run klist -kt
/etc/krb5.keytab and note the highest kvno. Then on a working system run
kvno host/<host of client> and see if they match.
If either fails use ipa-getkeytab to get a new one.
I assume sssd is running? You might try their troubleshooting guide as well.
rob