>From dse.ldiff nsslapd-localhost: ipa-b.in.bmrc.ox.ac.uk Fairly sure this is representative of the current running configuration, as the node was rebooted only hours ago.
Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 11 Mar 2019, at 15:58, Alexander Bokovoy <aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote: On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote: Dear Alexander, klist -kt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 02/11/18 12:09:17 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 1 02/11/18 12:09:17 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 3 08/03/19 16:11:12 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 3 08/03/19 16:11:12 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 4 08/03/19 16:11:44 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 4 08/03/19 16:11:44 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 4 08/03/19 16:25:20 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 4 08/03/19 16:25:20 ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 1 11/03/19 10:50:01 ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 1 11/03/19 10:50:01 ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.virt.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 2 11/03/19 10:50:17 ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 2 11/03/19 10:50:17 ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.cloud.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 2 11/03/19 10:50:22 ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> 2 11/03/19 10:50:22 ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk<mailto:ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk><mailto:ldap/ipa-b.hpc.in.bmrc.ox.ac...@in.bmrc.ox.ac.uk> This is a bit non-standard i understand, but so far this configuration is working ok. I guess the issue is that the ticket is being issued for the wrong domain. [cid:F8DF5B93-5D52-46D5-88AC-E9BEA54760FD@in.bmrc.ox.ac.uk] I've attached a screenshot of the DNS configuration for the sub-zone. Our intention here is to ensure that the DNS entry and host for the IPA server within a different sub-zone and subnet resolves to a single IP for speed. So a "host" has been created for each of the interfaces, all of the respective kerberos principals for the host services (ldap in this case) and then a new certificate issued with the alt names on it to allow for LDAPS. This works well, right up until the point of GSSAPI getting involved. There must be a piece of the puzzle we're missing here! Can you check in cn=config which value is set for nsslapd-localhost attribute? This is the hostname value used by the LDAP server when it initializes own TGT from the keytab. It should be ipa-b.$domain to make sure that both the client and the server are utilizing the same service principal. I suspect it is set to ipa-b.virt.$domain and thus the issue. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org