On Wed, Jul 31, 2013 at 11:09:43AM -0500, KodaK wrote: > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sb...@redhat.com> wrote: > > > I think that's the issue. You have to make sure that host.domain.com has > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS > > > setup must be correct so the IPA DNS can forward the request to the > > > right server. Then you can call 'ipa host-add host.domain.com' which > > > will create a host entry with the principal > > > host/host.domain....@unix.domain.com. Now you can call ipa-getkeytab and > > > transfer the new keytab to host.domain.com. > > Ok, I'm dumbfounded (again.) > > I've removed the old host from IPA: > > xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml > > ipa: INFO: Forwarding 'host_show' to server u' > https://slpidml01.unix.domain.com/ipa/session/xml' > > ipa: ERROR: sla400q1.unix.domain.com: host not found > > And I added the new host: > > [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml > > ipa: INFO: Forwarding 'host_show' to server u' > https://slpidml01.unix.domain.com/ipa/xml' > > Host name: sla400q1.domain.com > > Principal name: host/sla400q1.domain....@unix.domain.com > > Password: False > > Keytab: True > > Managed by: sla400q1.domain.com > > I generated the keytab: > > [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved > and stored in: /tmp/sla400q1.keytab
does /tmp/sla400q1.keytab still exists from your previous attempts? ipa-getkeytab might just add the news keys if the file is not empty? bye, Sumit > > [xxx@slpidml01 ~]$ > > Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab > > But, when I list the principals in the keytab: > > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e > > Keytab name: FILE:/etc/krb5/krb5.keytab > > KVNO Principal > > ---- --------- > > 1 host/sla400q1.unix.domain....@unix.domain.com (AES-256 CTS mode with > 96-bit SHA-1 HMAC) > > 1 host/sla400q1.unix.domain....@unix.domain.com (AES-128 CTS mode with > 96-bit SHA-1 HMAC) > > 1 host/sla400q1.unix.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 1 host/sla400q1.unix.domain....@unix.domain.com (ArcFour with HMAC/md5) > > 2 host/sla400q1.unix.domain....@unix.domain.com (AES-256 CTS mode with > 96-bit SHA-1 HMAC) > > 2 host/sla400q1.unix.domain....@unix.domain.com (AES-128 CTS mode with > 96-bit SHA-1 HMAC) > > 2 host/sla400q1.unix.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 2 host/sla400q1.unix.domain....@unix.domain.com (ArcFour with HMAC/md5) > > 1 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with 96-bit > SHA-1 HMAC) > > 1 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > > 1 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 1 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > > 2 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with 96-bit > SHA-1 HMAC) > > 2 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > > 2 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 2 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > > 3 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with 96-bit > SHA-1 HMAC) > > 3 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > > 3 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 3 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > > 4 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with 96-bit > SHA-1 HMAC) > > 4 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > > 4 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 4 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > > 5 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with 96-bit > SHA-1 HMAC) > > 5 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > > 5 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 5 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > > 6 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with 96-bit > SHA-1 HMAC) > > 6 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with 96-bit > SHA-1 HMAC) > > 6 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > HMAC/sha1) > > 6 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > > Where are the sla400q1.unix.domain.com coming from? I've done this over and > over, I can't find > > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never > had any > > unix.comain.com references. > > In addition, I’m still getting the error: > > Miscellaneous failure\nNo principal in keytab matches desired name\n > > in the logs, even though: > > sla400q1:/var/adm> grep sla400q1 /etc/hosts > > 192.168.42.108 sla400q1-bk > > #10.200.5.48 sla400q1.domain.com sla400q1 > > 10.200.5.48 sla400q1.domain.com sla400q1 > > sla400q1:/var/adm> hostname > > sla400q1.domain.com > > sla400q1:/var/adm> domainname > > domain.com > > sla400q1:/var/adm> > > Any clues? _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users