hi, for 'historical' reasons, I have a working dns zone in my lan, say example.com. In this zone, I have delegated an ipa.example.com zone for ipa.
I have setup freeipa (homelab, SL 6.1 with version ipa-server-2.0.0-23.el6.i686) and it works, I have a server and a client (kdc.ipa.example.com and ipaclient01.ipa.example.com). >From a laptop (not member of the ipa realm) I kinit to this realm $ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: u...@ipa.example.com Valid starting Expires Service principal 12/07/11 22:24:17 12/08/11 22:24:17 krbtgt/ipa.example....@ipa.example.com renew until 12/14/11 22:24:17 12/07/11 22:24:43 12/08/11 22:24:17 HTTP/kdc.ipa.example.com...@ipa.example.com renew until 12/14/11 22:24:17 12/07/11 22:27:28 12/08/11 22:24:17 host/kdc.ipa.example.com...@ipa.example.com renew until 12/14/11 22:24:17 As you see, I could go on the web ui and login from ssh. When logging in the ipaclient01, I get prompted to enter a password and the error is clear when getting verbose output from slogin: $ slogin -v user@ipaclient01 ....... debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server krbtgt/example....@ipa.example.com not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server krbtgt/example....@ipa.example.com not found in Kerberos database If I login using a fqdn instead of the simple one, then it works. The funny thing is, I can use the simple dns name to login the kdc server. Why? I use both the example.com as the ipa.example.com in the laptop's search field in /etc/resolv.conf, by the way. Another question: why is it not possible to add simple hostnames as a service principal? TIA, great stuff so far :-) -- Groeten, natxo _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users