Ok, so, yeah -- my first question stands. This works when it falls back to LDAP, but it does not honor a kerberos ticket. Is there a way to do that in the same circumstances?
Thanks again, --Jason On Tue, Jul 30, 2013 at 2:58 PM, KodaK <sako...@gmail.com> wrote: > Nevermind, AIX problem (surprise, surprise!) > > Since it's half-kerberized at this point (the default is system auth, > not kerb/ldap) it failed. > > I had to create entries in /etc/security/user for the users I wanted > to test with and explicitly state that I wanted them to log on via > krb5/ldap. > > --Jason > > On Tue, Jul 30, 2013 at 2:41 PM, KodaK <sako...@gmail.com> wrote: >> I've been searching and I know it's been answered before but I can't find it. >> >> I have UNIX.DOMAIN.COM as my IPA realm. >> >> I have some hosts that sit on (in dns) domain.com (they are not part >> of any other Kerberos realms.) >> >> I'm unable to currently change the domain names on these boxes. >> >> In krb5.conf I have the mappings: >> >> domain.com = UNIX.DOMAIN.COM >> .domain.com = UNIX.DOMAIN.COM >> >> I can do a kinit admin from the client machine and get a ticket. >> >> I'm unable to authenticate via ssh to the client machine (with the user >> admin.) >> >> I'm able to "su" to the user, so we're talking to ldap and kerberos. >> >> I have the GSSAPI options set in sshd_config: >> >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> >> But, in the syslog I see: >> >> Miscellaneous failure\nNo principal in keytab matches desired name\n >> >> I'm sure this is because I generated the keytab for >> "host.unix.domain.com" instead of "host.domain.com" -- but I don't >> know how to accomplish the second one. >> >> I may be on the wrong track here. Every time I think I understand >> this I get hit with something that shows me that I'm still clueless. >> >> A pointer to a previous discussion on this would be sufficient, I think. >> >> Thanks, >> >> --Jason >> >> -- >> The government is going to read our mail anyway, might as well make it >> tough for them. GPG Public key ID: B6A1A7C6 > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users