When I check the host certificate I see a ca-error saying it cannot find a 
suitable key.

# ipa-getcert list

Number of certificates and requests being tracked: 1.
Request ID '20130719035440':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default 
keytab: Keytab contains no suitable keys for host/det-webdl01@.
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS 
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

When I check my keytab
# kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example....@example.com
No error
If I list my keytab,

# klist -kt /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 07/18/13 13:14:06 host/det-webdl01.sub.example....@example.com
   2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
   2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
   2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
   1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
   1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
   1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
   1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com

My /etc/krb5.conf file looks like:

[libdefaults]
 default_keytab_name = FILE:/etc/krb5.keytab
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
    kdc = det-ldmpl01.sub.example.com:88
    master_kdc = det-ldmpl01.sub.example.com:88
    admin_server = det-ldmpl01.sub.example.com:749
    default_domain = example.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
  .sub.example.com = EXAMPLE.COM
  sub.example.com = EXAMPLE.COM

It seems the error from ipa-getcert list shows:

ca-error: Error setting up ccache for local "host" service using default 
keytab: Keytab contains no suitable keys for host/det-webdl01@.

where it is trunking the hostname and not including the realm name after @ 
seems to be the problem, but I cannot figure out why.  If I run `hostname` on 
this host it prints det-webdl01.sub.example.com.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to