I have my ipa 1.2.2 setup in an environment where my servers have two
NICs each in a different VLAN.
With the multi NIC setup I have two different DNS names for a single
host to control which interface is is used when accessing the host e.g.
host.example.com and host.priv.example.com. The hostname of the server
is set to host.example.com.
I first configured the ipa-client on the host with the host.example.com
service principle and all is well; I can login via ssh and
authentication occurs via kerberos. I then setup another service
principle with the host.priv.example.com and downloaded the keytab to
the target server. However when I try to login via ssh I am prompted
for a password.
Turning on verbose output for ssh and upping the syslog to debug, I came
across this: Error code krb5 144 which I discovered means "wrong
principal in request."
Is what I am trying to do, having more then one host/ssh service
principle for a single host that is multihomed?
If so what is causing the error code 144 when I can see that in my local
klist the ticket for the host.priv.example.com is present?
Freeipa-users mailing list