On Tue, 2012-08-07 at 13:00 -0700, Rob Ogilvie wrote:
> Good Afternoon,
> I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL
> 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server,
> and it seems to be working great on the IPA server itself. I can ssh
> in as admin, type my password, and I'm in.
> I then have been struggling with getting it going on client systems.
> As I'm not setting any of this up with DNS (I want this to be as
> un-obtrusive as possible), I executed the following command:
> ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth.<domain>
> It asked me for admin's username and password and threw a warning
> about getent passwd admin not returning anything. Sure enough, it
> doesn't return anything on the client (although it does on the
> From the client, I'm able to kinit admin, type my password, and then
> passwordlessly ssh over to the auth server.
> I do see these entries in my log file on the client:
> Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child]]: Failed to
> initialize credentials using keytab [(null)]: Client
> 'host/ovm-c19-db<domain>@<REALM>' not found in Kerberos database.
> Unable to create GSSAPI-encrypted LDAP connection.
> Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child]]: Client not found
> in Kerberos database
> I'm pretty new at Kerberos, so am unsure exactly what this might mean.
Kerberos depends on proper name resolution. If a hostname cannot be
resolved you cannot acquire tickets for it.
So if your host ovm-c19-db does not have a DNS entry (either using IPA's
DNS server or an external DNS server) you can't get tickets.
also name resolution generally must match the hostname as that is what
is used to register a client into ipa.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list