Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 03:03:04PM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote: On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6
Re: [Freeipa-users] authenticate with base domain name?
On Tue, Jul 30, 2013 at 03:01:18PM -0500, KodaK wrote: Ok, so, yeah -- my first question stands. This works when it falls back to LDAP, but it does not honor a kerberos ticket. Is there a way to do that in the same circumstances? Thanks again, --Jason On Tue, Jul 30, 2013 at 2:58 PM, KodaK sako...@gmail.com wrote: Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed. I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote: I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. HTH bye, Sumit I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) Where are the sla400q1.unix.domain.com coming from? I've done this over and over, I can't find any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never had any unix.comain.com references. In addition, I’m still getting the error: Miscellaneous failure\nNo principal in keytab matches desired name\n in the logs, even though: sla400q1:/var/adm grep sla400q1 /etc/hosts 192.168.42.108 sla400q1-bk #10.200.5.48sla400q1.domain.com sla400q1 10.200.5.48 sla400q1.domain.com sla400q1 sla400q1:/var/adm hostname sla400q1.domain.com sla400q1:/var/adm domainname
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) Where are the sla400q1.unix.domain.com coming from? I've done this over and over, I can't find any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never had any unix.comain.com references. In addition, I’m still getting the error: Miscellaneous failure\nNo principal in keytab matches desired name\n in the logs, even though: sla400q1:/var/adm grep sla400q1 /etc/hosts 192.168.42.108 sla400q1-bk
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 11:09:43AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab does /tmp/sla400q1.keytab still exists from your previous attempts? ipa-getkeytab might just add the news keys if the file is not empty? bye, Sumit [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) Where are the sla400q1.unix.domain.com coming from? I've done this over and over, I can't find any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never had any unix.comain.com references. In addition,
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) Where are the sla400q1.unix.domain.com coming from? I've done this over and over, I can't find any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never had any unix.comain.com
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote: On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 6 host/sla400q1.domain@unix.domain.com (ArcFour with
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote: On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 01:57:50PM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote: On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: Unfortunately, that made no difference: sla400q1:/var/adm nslookup 10.200.5.48 Server: 10.200.2.24 Address:10.200.2.24#53 48.5.200.10.in-addr.arpaname = sla400q1.domain.com. Jul 31 14:55:09 sla400q1 auth|security:debug sshd[25624644]: debug1: Miscellaneous failure\nNo principal in keytab matches desired name\n It sure would be nice if the desired name was printed along with that error message. Can you increase the debug level of sshd any further? Maybe the name is listen then? Are you sure sshd is expecting the keytab in /etc/krb5/krb5.keytab on AIX? bye, Sumit -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote: On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. Ok, I'm dumbfounded (again.) I've removed the old host from IPA: xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/session/xml' ipa: ERROR: sla400q1.unix.domain.com: host not found And I added the new host: [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml ipa: INFO: Forwarding 'host_show' to server u' https://slpidml01.unix.domain.com/ipa/xml' Host name: sla400q1.domain.com Principal name: host/sla400q1.domain@unix.domain.com Password: False Keytab: True Managed by: sla400q1.domain.com I generated the keytab: [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/ sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved and stored in: /tmp/sla400q1.keytab [xxx@slpidml01 ~]$ Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab But, when I list the principals in the keytab: sla400q1:/var/adm /usr/krb5/bin/klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal - 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5) 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with HMAC/sha1) 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5) 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
[Freeipa-users] authenticate with base domain name?
I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed. I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote: I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate with base domain name?
Ok, so, yeah -- my first question stands. This works when it falls back to LDAP, but it does not honor a kerberos ticket. Is there a way to do that in the same circumstances? Thanks again, --Jason On Tue, Jul 30, 2013 at 2:58 PM, KodaK sako...@gmail.com wrote: Nevermind, AIX problem (surprise, surprise!) Since it's half-kerberized at this point (the default is system auth, not kerb/ldap) it failed. I had to create entries in /etc/security/user for the users I wanted to test with and explicitly state that I wanted them to log on via krb5/ldap. --Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote: I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf I have the mappings: domain.com = UNIX.DOMAIN.COM .domain.com = UNIX.DOMAIN.COM I can do a kinit admin from the client machine and get a ticket. I'm unable to authenticate via ssh to the client machine (with the user admin.) I'm able to su to the user, so we're talking to ldap and kerberos. I have the GSSAPI options set in sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes But, in the syslog I see: Miscellaneous failure\nNo principal in keytab matches desired name\n I'm sure this is because I generated the keytab for host.unix.domain.com instead of host.domain.com -- but I don't know how to accomplish the second one. I may be on the wrong track here. Every time I think I understand this I get hit with something that shows me that I'm still clueless. A pointer to a previous discussion on this would be sufficient, I think. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users