On Wed, Jul 31, 2013 at 03:03:04PM -0500, KodaK wrote: > On Wed, Jul 31, 2013 at 1:28 PM, KodaK <sako...@gmail.com> wrote: > > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose <sb...@redhat.com> wrote: > >> > >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: > >> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sako...@gmail.com> wrote: > >> > > >> > > > >> > > > >> > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sb...@redhat.com> wrote: > >> > > > >> > > > I think that's the issue. You have to make sure that host.domain.com > >> > > > has > >> > > > >> > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS > >> > > > >> > > > setup must be correct so the IPA DNS can forward the request to the > >> > > > >> > > > right server. Then you can call 'ipa host-add host.domain.com' which > >> > > > >> > > > will create a host entry with the principal > >> > > > >> > > > host/host.domain....@unix.domain.com. Now you can call ipa-getkeytab > >> > > > and > >> > > > >> > > > transfer the new keytab to host.domain.com. > >> > > > >> > > Ok, I'm dumbfounded (again.) > >> > > > >> > > I've removed the old host from IPA: > >> > > > >> > > xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com > >> > > > >> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml > >> > > > >> > > ipa: INFO: Forwarding 'host_show' to server u' > >> > > https://slpidml01.unix.domain.com/ipa/session/xml' > >> > > > >> > > ipa: ERROR: sla400q1.unix.domain.com: host not found > >> > > > >> > > And I added the new host: > >> > > > >> > > [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com > >> > > > >> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml > >> > > > >> > > ipa: INFO: Forwarding 'host_show' to server u' > >> > > https://slpidml01.unix.domain.com/ipa/xml' > >> > > > >> > > Host name: sla400q1.domain.com > >> > > > >> > > Principal name: host/sla400q1.domain....@unix.domain.com > >> > > > >> > > Password: False > >> > > > >> > > Keytab: True > >> > > > >> > > Managed by: sla400q1.domain.com > >> > > > >> > > I generated the keytab: > >> > > > >> > > [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ > >> > > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully > >> > > retrieved > >> > > and stored in: /tmp/sla400q1.keytab > >> > > > >> > > [xxx@slpidml01 ~]$ > >> > > > >> > > Then I copied that keytab to the host and put it in > >> > > /etc/krb5/krb5.keytab > >> > > > >> > > But, when I list the principals in the keytab: > >> > > > >> > > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e > >> > > > >> > > Keytab name: FILE:/etc/krb5/krb5.keytab > >> > > > >> > > KVNO Principal > >> > > > >> > > ---- --------- > >> > > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (AES-256 CTS mode > >> > > with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (AES-128 CTS mode > >> > > with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (Triple DES cbc mode > >> > > with HMAC/sha1) > >> > > > >> > > 1 host/sla400q1.unix.domain....@unix.domain.com (ArcFour with > >> > > HMAC/md5) > >> > > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (AES-256 CTS mode > >> > > with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (AES-128 CTS mode > >> > > with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (Triple DES cbc mode > >> > > with HMAC/sha1) > >> > > > >> > > 2 host/sla400q1.unix.domain....@unix.domain.com (ArcFour with > >> > > HMAC/md5) > >> > > > >> > > 1 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 1 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 1 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > >> > > HMAC/sha1) > >> > > > >> > > 1 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > >> > > > >> > > 2 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 2 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 2 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > >> > > HMAC/sha1) > >> > > > >> > > 2 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > >> > > > >> > > 3 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 3 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 3 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > >> > > HMAC/sha1) > >> > > > >> > > 3 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > >> > > > >> > > 4 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 4 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 4 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > >> > > HMAC/sha1) > >> > > > >> > > 4 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > >> > > > >> > > 5 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 5 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 5 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > >> > > HMAC/sha1) > >> > > > >> > > 5 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > >> > > > >> > > 6 host/sla400q1.domain....@unix.domain.com (AES-256 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 6 host/sla400q1.domain....@unix.domain.com (AES-128 CTS mode with > >> > > 96-bit SHA-1 HMAC) > >> > > > >> > > 6 host/sla400q1.domain....@unix.domain.com (Triple DES cbc mode with > >> > > HMAC/sha1) > >> > > > >> > > 6 host/sla400q1.domain....@unix.domain.com (ArcFour with HMAC/md5) > >> > > > >> > > Where are the sla400q1.unix.domain.com coming from? I've done this over > >> > > and over, I can't find > >> > > > >> > > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box > >> > > never had any > >> > > > >> > > unix.comain.com references. > >> > > > >> > > In addition, I’m still getting the error: > >> > > > >> > > Miscellaneous failure\nNo principal in keytab matches desired name\n > >> > > > >> > > in the logs, even though: > >> > > > >> > > sla400q1:/var/adm> grep sla400q1 /etc/hosts > >> > > > >> > > 192.168.42.108 sla400q1-bk > >> > > > >> > > #10.200.5.48 sla400q1.domain.com sla400q1 > >> > > > >> > > 10.200.5.48 sla400q1.domain.com sla400q1 > >> > > > >> > > sla400q1:/var/adm> hostname > >> > > > >> > > sla400q1.domain.com > >> > > > >> > > sla400q1:/var/adm> domainname > >> > > > >> > > domain.com > >> > > > >> > > sla400q1:/var/adm> > >> > > > >> > > Any clues? > >> > > > >> > > > >> > forgot to add: > >> > > >> > sla400q1:/var/adm> nslookup 10.200.5.48 > >> > Server: 10.200.2.24 > >> > Address: 10.200.2.24#53 > >> > > >> > 48.5.200.10.in-addr.arpa name = SLA400Q1.domain.com. > >> > >> hmm, DNS is case-insensitive, Kerberos is case-sensitive. If AIX Kerberos > >> does some reverse DNS lookups it might end up looking for > >> home/sla400q1.domain....@unix.domain.com. If you cannot change the case > >> of the DNS entry, please try to create an IPA host with the case > >> returned by DNS. > >> > >> > > > > IPA just changes SLA400Q1.domain.com to lower case when I do a host-add. > > > > I've asked the admins of "domain.com" to change the reverse entry, > > we'll see how that goes. > > > > Thanks again, > > > > --Jason > > Blew everything away regarding this host in IPA, cleared the keytab > and caches on the AIX box. > > And I have success. Finally. > > Thanks!
great, thank you for the feedback. bye, Sumit > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users