On Wed, Jul 31, 2013 at 1:28 PM, KodaK <sako...@gmail.com> wrote: > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose <sb...@redhat.com> wrote: >> >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: >> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sako...@gmail.com> wrote: >> > >> > > >> > > >> > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sb...@redhat.com> wrote: >> > > >> > > > I think that's the issue. You have to make sure that host.domain.com >> > > > has >> > > >> > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS >> > > >> > > > setup must be correct so the IPA DNS can forward the request to the >> > > >> > > > right server. Then you can call 'ipa host-add host.domain.com' which >> > > >> > > > will create a host entry with the principal >> > > >> > > > host/host.domain....@unix.domain.com. Now you can call ipa-getkeytab >> > > > and >> > > >> > > > transfer the new keytab to host.domain.com. >> > > >> > > Ok, I'm dumbfounded (again.) >> > > >> > > I've removed the old host from IPA: >> > > >> > > xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com >> > > >> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml >> > > >> > > ipa: INFO: Forwarding 'host_show' to server u' >> > > https://slpidml01.unix.domain.com/ipa/session/xml' >> > > >> > > ipa: ERROR: sla400q1.unix.domain.com: host not found >> > > >> > > And I added the new host: >> > > >> > > [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com >> > > >> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml >> > > >> > > ipa: INFO: Forwarding 'host_show' to server u' >> > > https://slpidml01.unix.domain.com/ipa/xml' >> > > >> > > Host name: sla400q1.domain.com >> > > >> > > Principal name: host/sla400q1.domain....@unix.domain.com >> > > >> > > Password: False >> > > >> > > Keytab: True >> > > >> > > Managed by: sla400q1.domain.com >> > > >> > > I generated the keytab: >> > > >> > > [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ >> > > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved >> > > and stored in: /tmp/sla400q1.keytab >> > > >> > > [xxx@slpidml01 ~]$ >> > > >> > > Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab >> > > >> > > But, when I list the principals in the keytab: >> > > >> > > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e >> > > >> > > Keytab name: FILE:/etc/krb5/krb5.keytab >> > > >> > > KVNO Principal >> > > >> > > ---- --------- >> > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (Triple DES cbc mode >> > > with HMAC/sha1) >> > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (Triple DES cbc mode >> > > with HMAC/sha1) >> > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > 1 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 1 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 1 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with >> > > HMAC/sha1) >> > > >> > > 1 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > 2 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 2 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 2 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with >> > > HMAC/sha1) >> > > >> > > 2 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > 3 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 3 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 3 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with >> > > HMAC/sha1) >> > > >> > > 3 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > 4 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 4 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 4 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with >> > > HMAC/sha1) >> > > >> > > 4 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > 5 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 5 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 5 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with >> > > HMAC/sha1) >> > > >> > > 5 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > 6 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 6 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with >> > > 96-bit SHA-1 HMAC) >> > > >> > > 6 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with >> > > HMAC/sha1) >> > > >> > > 6 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) >> > > >> > > Where are the sla400q1.unix.domain.com coming from? I've done this over >> > > and over, I can't find >> > > >> > > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box >> > > never had any >> > > >> > > unix.comain.com references. >> > > >> > > In addition, I’m still getting the error: >> > > >> > > Miscellaneous failure\nNo principal in keytab matches desired name\n >> > > >> > > in the logs, even though: >> > > >> > > sla400q1:/var/adm> grep sla400q1 /etc/hosts >> > > >> > > 192.168.42.108 sla400q1-bk >> > > >> > > #10.200.5.48 sla400q1.domain.com sla400q1 >> > > >> > > 10.200.5.48 sla400q1.domain.com sla400q1 >> > > >> > > sla400q1:/var/adm> hostname >> > > >> > > sla400q1.domain.com >> > > >> > > sla400q1:/var/adm> domainname >> > > >> > > domain.com >> > > >> > > sla400q1:/var/adm> >> > > >> > > Any clues? >> > > >> > > >> > forgot to add: >> > >> > sla400q1:/var/adm> nslookup 10.200.5.48 >> > Server: 10.200.2.24 >> > Address: 10.200.2.24#53 >> > >> > 48.5.200.10.in-addr.arpa name = SLA400Q1.domain.com. >> >> hmm, DNS is case-insensitive, Kerberos is case-sensitive. If AIX Kerberos >> does some reverse DNS lookups it might end up looking for >> home/sla400q1.domain....@unix.domain.com. If you cannot change the case >> of the DNS entry, please try to create an IPA host with the case >> returned by DNS. >> >> > > IPA just changes SLA400Q1.domain.com to lower case when I do a host-add. > > I've asked the admins of "domain.com" to change the reverse entry, > we'll see how that goes. > > Thanks again, > > --Jason
Unfortunately, that made no difference: sla400q1:/var/adm> nslookup 10.200.5.48 Server: 10.200.2.24 Address: 10.200.2.24#53 48.5.200.10.in-addr.arpa name = sla400q1.domain.com. Jul 31 14:55:09 sla400q1 auth|security:debug sshd[25624644]: debug1: Miscellaneous failure\nNo principal in keytab matches desired name\n It sure would be nice if the desired name was printed along with that error message. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
