Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed.
I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK <sako...@gmail.com> wrote: > I've been searching and I know it's been answered before but I can't find it. > > I have UNIX.DOMAIN.COM as my IPA realm. > > I have some hosts that sit on (in dns) domain.com (they are not part > of any other Kerberos realms.) > > I'm unable to currently change the domain names on these boxes. > > In krb5.conf I have the mappings: > > domain.com = UNIX.DOMAIN.COM > .domain.com = UNIX.DOMAIN.COM > > I can do a kinit admin from the client machine and get a ticket. > > I'm unable to authenticate via ssh to the client machine (with the user > admin.) > > I'm able to "su" to the user, so we're talking to ldap and kerberos. > > I have the GSSAPI options set in sshd_config: > > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > But, in the syslog I see: > > Miscellaneous failure\nNo principal in keytab matches desired name\n > > I'm sure this is because I generated the keytab for > "host.unix.domain.com" instead of "host.domain.com" -- but I don't > know how to accomplish the second one. > > I may be on the wrong track here. Every time I think I understand > this I get hit with something that shows me that I'm still clueless. > > A pointer to a previous discussion on this would be sufficient, I think. > > Thanks, > > --Jason > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users