[Freeipa-users] authenticate with base domain name?
KodaK
sakodak at gmail.com
Wed Jul 31 16:12:47 UTC 2013
On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:
>
>
> On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
>
> > I think that's the issue. You have to make sure that host.domain.com has
>
> > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
>
> > setup must be correct so the IPA DNS can forward the request to the
>
> > right server. Then you can call 'ipa host-add host.domain.com' which
>
> > will create a host entry with the principal
>
> > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
>
> > transfer the new keytab to host.domain.com.
>
> Ok, I'm dumbfounded (again.)
>
> I've removed the old host from IPA:
>
> xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
>
> ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
>
> ipa: INFO: Forwarding 'host_show' to server u'
> https://slpidml01.unix.domain.com/ipa/session/xml'
>
> ipa: ERROR: sla400q1.unix.domain.com: host not found
>
> And I added the new host:
>
> [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
>
> ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
>
> ipa: INFO: Forwarding 'host_show' to server u'
> https://slpidml01.unix.domain.com/ipa/xml'
>
> Host name: sla400q1.domain.com
>
> Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
>
> Password: False
>
> Keytab: True
>
> Managed by: sla400q1.domain.com
>
> I generated the keytab:
>
> [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
> sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
> and stored in: /tmp/sla400q1.keytab
>
> [xxx at slpidml01 ~]$
>
> Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
>
> But, when I list the principals in the keytab:
>
> sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
>
> Keytab name: FILE:/etc/krb5/krb5.keytab
>
> KVNO Principal
>
> ---- ---------
>
> 1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> with HMAC/sha1)
>
> 1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> 2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> with HMAC/sha1)
>
> 2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> 1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
> 1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> 2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
> 2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> 3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
> 3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> 4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
> 4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> 5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
> 5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> 6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> 96-bit SHA-1 HMAC)
>
> 6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> HMAC/sha1)
>
> 6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
>
> Where are the sla400q1.unix.domain.com coming from? I've done this over
> and over, I can't find
>
> any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
> never had any
>
> unix.comain.com references.
>
> In addition, I’m still getting the error:
>
> Miscellaneous failure\nNo principal in keytab matches desired name\n
>
> in the logs, even though:
>
> sla400q1:/var/adm> grep sla400q1 /etc/hosts
>
> 192.168.42.108 sla400q1-bk
>
> #10.200.5.48 sla400q1.domain.com sla400q1
>
> 10.200.5.48 sla400q1.domain.com sla400q1
>
> sla400q1:/var/adm> hostname
>
> sla400q1.domain.com
>
> sla400q1:/var/adm> domainname
>
> domain.com
>
> sla400q1:/var/adm>
>
> Any clues?
>
>
forgot to add:
sla400q1:/var/adm> nslookup 10.200.5.48
Server: 10.200.2.24
Address: 10.200.2.24#53
48.5.200.10.in-addr.arpa name = SLA400Q1.domain.com.
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130731/0ea37c32/attachment.htm>
More information about the Freeipa-users
mailing list