On 10/13/2017 09:00 AM, Mark Haney wrote:
I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration.  This should be easy to answer.  I've got all the necessaries manually setup and I'm at the step to get the certificate from the IPA server.  TFM states this is the correct syntax to do so:


[root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'

The problem I'm having is with the HOST/ and CN options, the reason being that the host I'm enrolling doesn't have the same domain name as the IPA server I'm using.  The client is 'rad.astacalska.net' and the IPA server domain (and realm) is neonova.net.  In IPA the client principal alias is host/rad.astacalaska....@neonova.net.  I tried this:

ipa-getcert  request -d /etc/pki/nssdb -n Server-Cert -K HOST/rad.astacalaska.net -N 'CN=rad.astacalaska.net,O=NEONOVA.NET'

But after this completes (without an error I might add) and I try to su into my IPA account on the server I get 'unknown user'.  I'm almost certain I've got things configured correctly except for this last bit.  This box is on a /very slow/ link and the getcert was almost instantaneous, which makes me wonder if the command is wrong.  I can post logs if need be, but getting them is time consuming so this might be a long troubleshooting process.  So, is the command above correct?  Or should it be changed?


Here's some additional information I've slowly been able to glean from this server.  When I run 'ipa-getcert list' I get this:

Request ID '20171013123749':
    status: CA_UNCONFIGURED
    ca-error: Error setting up ccache for "host" service on client using default keytab: Keytab contains no suitable keys for host/rad.astacalaska.net@.

Seems the realm is missing.  Could this be from the incorrect ipa-getcert request?  The keytab is correct AFAICT:

 klist -kt  rad.astacalaska.net.keytab
Keytab name: FILE:rad.astacalaska.net.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net
   1 10/12/17 14:37:41 host/rad.astacalaska....@neonova.net

FYI, this is the krb5.keytab file on the server.  It had to be generated on a localhost due to latency issues.  Does this help?

--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to