[Freeipa-users] authenticate with base domain name?

KodaK sakodak at gmail.com
Wed Jul 31 16:09:43 UTC 2013 

On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:

> I think that's the issue. You have to make sure that host.domain.com has

> a DNS entry somewhere, it does not have to be the IPA DNS but the DNS

> setup must be correct so the IPA DNS can forward the request to the

> right server. Then you can call 'ipa host-add host.domain.com' which

> will create a host entry with the principal

> host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and

> transfer the new keytab to host.domain.com.

Ok, I'm dumbfounded (again.)

I've removed the old host from IPA:

xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com

ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml

ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/session/xml'

ipa: ERROR: sla400q1.unix.domain.com: host not found

And I added the new host:

[xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com

ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml

ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/xml'

 Host name: sla400q1.domain.com

 Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM

 Password: False

 Keytab: True

 Managed by: sla400q1.domain.com

I generated the keytab:

[xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
and stored in: /tmp/sla400q1.keytab

[xxx at slpidml01 ~]$

Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab

But, when I list the principals in the keytab:

sla400q1:/var/adm> /usr/krb5/bin/klist -k -e

Keytab name:  FILE:/etc/krb5/krb5.keytab

KVNO Principal

---- ---------

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
96-bit SHA-1 HMAC)

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
96-bit SHA-1 HMAC)

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
96-bit SHA-1 HMAC)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
96-bit SHA-1 HMAC)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
HMAC/sha1)

  6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)

Where are the sla400q1.unix.domain.com coming from? I've done this over and
over, I can't find

any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never
had any

unix.comain.com references.

In addition, I’m still getting the error:

Miscellaneous failure\nNo principal in keytab matches desired name\n

in the logs, even though:

sla400q1:/var/adm> grep sla400q1 /etc/hosts

192.168.42.108  sla400q1-bk

#10.200.5.48    sla400q1.domain.com sla400q1

10.200.5.48     sla400q1.domain.com sla400q1

sla400q1:/var/adm> hostname

sla400q1.domain.com

sla400q1:/var/adm> domainname

domain.com

sla400q1:/var/adm>

Any clues?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130731/1a0c1fd8/attachment.htm>

More information about the Freeipa-users mailing list