my host is asm-dns01.meyer.local 


On Monday, November 20, 2017 4:57 PM, Rob Crittenden <rcritten@redhat.com> wrote:


Andrew Meyer wrote:
> [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H
> ldap://asm-dns01.meyer.local -b '' -s base vendorName
> version: 1
>
> dn:
> vendorName: 389 Project
>
> [andrew.meyer@asm-rancid02 ~]$
>
> [andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p
> 'radiusd/asm-rancid02.mgt.asm.borg.local' -s
> asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval method...
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Failed to get keytab
> [andrew.meyer@asm-rancid02 ~]$

What host is your IPA server? You used asm-dns01.meyer.local for the
LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab.

rob

>
>
>
> On Monday, November 20, 2017 4:42 PM, Rob Crittenden
> <rcritten@redhat.com> wrote:
>
>
> Robbie Harwood via FreeIPA-users wrote:
>
>> Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>> writes:
>>
>>> [root@asm-rancid02 <mailto:root@asm-rancid02> keytabs]# ipa-getkeytab
> -s asm-rancid02.mgt.asm.borg.local. -p
> radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Retrying with pre-4.0 keytab retrieval method...
>>> Unable to initialize STARTTLS session
>>> Failed to bind to server!
>>> Failed to get keytab
>>> [root@asm-rancid02 <mailto:root@asm-rancid02> keytabs]#

>>>
>>> Do I need to generate a keytab first?  Should this be generated when I
>>> add the server to the domain/realm?
>>
>> This looks like it wasn't able to connect properly, so it hasn't reached
>> the point where Kerberos is involved.
>>
>> Keytabs are generated when the machine is enrolled in the realm.
>
>
> The host keytab is generated by ipa-clinet-install. Service keytabs need
> to be retrieved separately using ipa-getkeytab.
>
> It's strange that the starttls is failing. The 389-ds access log may
> have some information on the connection failure.
>
> To exercise it you can do something like:
>
> $ ldapsearch -LL -x -ZZ -H ldap://`hostname` -b '' -s base  vendorName
>
> rob
>
>
>