After we installed a new set of IPA servers for prod, and joined AD using username and password to have AD create a correct suffix routing everythin seems to work, and the suffix routing is created correctly on AD.
However, trying to SSH from Windows using Putty and kerberos fails: Putty log shows: Event Log: GSSAPI authentication initialisation failed Event Log: No authority could be contacted for authentication.The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure. DNS is on AD (manually added, and IPA have no DNS installed. Kerberos DNS is correct: # dig _kerberos._tcp.lx.dr.dk SRV .... ;; ANSWER SECTION: _kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. _kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. ;; ADDITIONAL SECTION: ipa01.lx.dr.dk. 3600 IN A x.y.z.135 ipa02.lx.dr.dk. 3600 IN A x.y.z.134 # dig _kerberos._tcp.dc._msdcs.lx.dr.dk SRV ... ;; ANSWER SECTION: _kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. _kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. ;; ADDITIONAL SECTION: ipa02.lx.dr.dk. 3600 IN A x.y.z.134 ipa01.lx.dr.dk. 3600 IN A x.y.z.135 Klist on Windows shows I have a TGT for the LX domain (but only a TGT), sorry for the danish. #0> Klient: drextrha @ NET.DR.DK Server: krbtgt/LX.DR.DK @ PLACE.DR.DK KerbTicket-krypteringstype: AES-256-CTS-HMAC-SHA1-96 Billetflag 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Starttidspunkt: 9/21/2016 14:58:36 (lokal) Sluttidspunkt: 9/21/2016 23:16:09 (lokal) Fornyelsestidspunkt: 9/28/2016 13:16:09 (lokal) Sessionsnøgletype: AES-256-CTS-HMAC-SHA1-96 I can't see whats wrong and can't seem to find out whats wrong? Suggestions welcome :-)
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project