sudo maprlogin generateticket -type service -user <user_name> -duration 14:0:0 -out /<directory_name>
returns the following error message.
"Operation failed. User has no established credentials on the cluster: <clustername>"
I tried various alternative users. I always ended up with the same error.
Use
maplogin password
instead and it works.
Related
Note: I've tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated
I'm new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.
I verify I get a krbtgt using klist using the credentials of Certificate Admin.
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM#MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
Only thing being created is the private key:
$ ls /tmp
test.key
Why isn't the certificate being created ? Insufficient privileges.
Error:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom#MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Though I am able to run
$ ipa service-mod HTTP/service.mydom --certificate=
Possible duplicatae freeipa-request-certificate-with-cname
Any ideas?
Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.
Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root#ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
Source:
Creating certs and keys for services using freeipadogtag/
Getting below error while launching ssh sesssion, I have all my public keys in place in both the places
1./username/.ssh/authorizedkeys
2.trusted-user-ca.keys.pem
Still getting below error.
" Warning: Permanently added 'XX.XX.XX.XXX' (ECDSA) to the list of known hosts. Permission denied (publickey).
can anyone help on this?
First you have to change file permission like this
chmod 400 key.pem
then use
ssh -i "key.pem" root#domain.amazonaws.com
Issue was with the public certificate, The principal name was different from the user name, tried signing the user public key with username as principal and I successfully logged in.
While login to snowflake from command prompt I'm getting the below error
the error:
250001 (08001): Failed to connect to DB:
EGA12345.us-east-1.snowflakecomputing.com:443. Incorrect username or
password was specified. If the error message is unclear, enable
logging using -o log_level=DEBUG and see the log to find out the
cause. Contact support for further help.
I can able to log into web UI by using the same username and password, but not from snowsql
command is snowsql -a EGA12345.us-east-1 -u venu
thanks in advance.
Venu
Check what role you're using via snowsql. The default role would be "defaultrolename", which I doubt exists for your account. I tested this by changing the .snowsql/config file to have a connection where rolename=non-existing-role. Using that connection, I get the error in your original post.
When I tried to create Principal ("prabhat/admin") in Kerberos (Kadmind Server) using the addprinc command.
kadmin -q "addprinc prabhat/admin"
I got the following error
Authenticating as principal prabhat/admin with password.
Kadmin: client not found in kerberos database while initializing kadmin interface
In order to create principals in Kadmin server, first you will have to create a principal using kadmin.local command,
kadmin.local -q "addprinc user1/admin"
kadmin.local -q "list_principals"
will give a list of principals, that will help you to get authenticated.
Now, you can use user1/admin as an authorized principal to create further principals, without using kadmin.local
kadmin -p user1/admin -q "addprinc user2/admin"
Having an issue when executing 'knife ssh' command.
I've configured properly the SSH keys for remote connection so that seems to work fine when trying to connect manually doing: ssh root#myhost.domain.com cause it automatically gives me access to myhost.domain.com without request for a password.
After that, I tried to run the following knife command to execute a recipe in my remote machine but I'm getting this error:
# knife ssh -C 1 "tags:amx_host AND chef_environment:dev" "chef-client -o recipe[amx]" -i root_dev -x root
WARNING: Failed to connect to myhost.domain.com -- Net::SSH::AuthenticationFailed: Authentication failed for user root#myhost.domain.com#myhost.domain.com
Seems like knife is identifying an invalid user name root#myhost.domain.com which should be just root instead.
Please, does anyone have any clues on how can I avoid this error or why SSH is taking a wrong user: root#myhost.domain.com instead of just root?
Typo issue: was taking a non-existing identity key file: root-dev for the remote connection