hi,
for 'historical' reasons, I have a working dns zone in my lan, say
example.com. In this zone, I have delegated an ipa.example.com zone
for ipa.
I have setup freeipa (homelab, SL 6.1 with version
ipa-server-2.0.0-23.el6.i686) and it works, I have a server and a
client (kdc.ipa.example.com and ipaclient01.ipa.example.com).
>From a laptop (not member of the ipa realm) I kinit to this realm
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: u...@ipa.example.com
Valid starting Expires Service principal
12/07/11 22:24:17 12/08/11 22:24:17 krbtgt/ipa.example....@ipa.example.com
renew until 12/14/11 22:24:17
12/07/11 22:24:43 12/08/11 22:24:17
HTTP/kdc.ipa.example.com...@ipa.example.com
renew until 12/14/11 22:24:17
12/07/11 22:27:28 12/08/11 22:24:17
host/kdc.ipa.example.com...@ipa.example.com
renew until 12/14/11 22:24:17
As you see, I could go on the web ui and login from ssh.
When logging in the ipaclient01, I get prompted to enter a password
and the error is clear when getting verbose output from slogin:
$ slogin -v user@ipaclient01
.......
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server krbtgt/example....@ipa.example.com not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server krbtgt/example....@ipa.example.com not found in Kerberos database
If I login using a fqdn instead of the simple one, then it works. The
funny thing is, I can use the simple dns name to login the kdc server.
Why?
I use both the example.com as the ipa.example.com in the laptop's
search field in /etc/resolv.conf, by the way.
Another question: why is it not possible to add simple hostnames as a
service principal?
TIA, great stuff so far :-)
--
Groeten,
natxo
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
