Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, if i use the ldap host: ldaps://ipa-b.in.bmrc.ox.ac.uk/ but not: ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP via that hostname. Is this actually possible, since the TGT is _always_ going to be on ipa-b.$domain because of the nsslapd-localhost entry? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. [email protected]<mailto:[email protected]> On 11 Mar 2019, at 15:58, Alexander Bokovoy <[email protected]<mailto:[email protected]>> wrote: On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote: Dear Alexander, klist -kt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 02/11/18 12:09:17 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 1 02/11/18 12:09:17 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 3 08/03/19 16:11:12 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 3 08/03/19 16:11:12 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 4 08/03/19 16:11:44 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 4 08/03/19 16:11:44 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 4 08/03/19 16:25:20 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 4 08/03/19 16:25:20 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 1 11/03/19 10:50:01 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 1 11/03/19 10:50:01 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 2 11/03/19 10:50:17 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 2 11/03/19 10:50:17 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 2 11/03/19 10:50:22 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> 2 11/03/19 10:50:22 ldap/[email protected]<mailto:ldap/[email protected]><mailto:ldap/[email protected]> This is a bit non-standard i understand, but so far this configuration is working ok. I guess the issue is that the ticket is being issued for the wrong domain. [cid:[email protected]] I've attached a screenshot of the DNS configuration for the sub-zone. Our intention here is to ensure that the DNS entry and host for the IPA server within a different sub-zone and subnet resolves to a single IP for speed. So a "host" has been created for each of the interfaces, all of the respective kerberos principals for the host services (ldap in this case) and then a new certificate issued with the alt names on it to allow for LDAPS. This works well, right up until the point of GSSAPI getting involved. There must be a piece of the puzzle we're missing here! Can you check in cn=config which value is set for nsslapd-localhost attribute? This is the hostname value used by the LDAP server when it initializes own TGT from the keytab. It should be ipa-b.$domain to make sure that both the client and the server are utilizing the same service principal. I suspect it is set to ipa-b.virt.$domain and thus the issue. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
