-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2013 09:47 AM, Rivet, Matt wrote:
Hi,


> When I check the host certificate I see a ca-error saying it cannot find
> a suitable key.
> 
> # ipa-getcert list
> 
> Number of certificates and requests being tracked: 1.
> Request ID '20130719035440':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default
> keytab: Keytab contains no suitable keys for host/det-webdl01@.
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
> Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> 

What is the version of ipa-server , is the above error on ipa client ,
if so what is the version of ipa-client


There was similar bug in earlier versions, I would suggest you to update
the ipa server and clients to ipa-3.0


> When I check my keytab
> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example....@example.com
> No error
> If I list my keytab,
> 
> # klist -kt /etc/krb5.keytab
> 
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    2 07/18/13 13:14:06 host/det-webdl01.sub.example....@example.com
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
> 
> My /etc/krb5.conf file looks like:
> 
> [libdefaults]
>  default_keytab_name = FILE:/etc/krb5.keytab
>  default_realm = EXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [realms]
>   EXAMPLE.COM = {
>     kdc = det-ldmpl01.sub.example.com:88
>     master_kdc = det-ldmpl01.sub.example.com:88
>     admin_server = det-ldmpl01.sub.example.com:749
>     default_domain = example.com
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
> 
> [domain_realm]
>   .example.com = EXAMPLE.COM
>   example.com = EXAMPLE.COM
>   .sub.example.com = EXAMPLE.COM
>   sub.example.com = EXAMPLE.COM
> 
> It seems the error from ipa-getcert list shows:
> 
> ca-error: Error setting up ccache for local "host" service using default
> keytab: Keytab contains no suitable keys for host/det-webdl01@.
> 
> where it is trunking the hostname and not including the realm name after
> @ seems to be the problem, but I cannot figure out why.  If I run
> `hostname` on this host it prints det-webdl01.sub.example.com. 
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


- -- 
Regards
M.R.Niranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHo0soACgkQLu3FX2BHx8dl4gCaAp6QG9fSN5Op6f7V4cb05Tc0
MtQAnR0vhh7kPNZ/GTmdYzYacDgsE97m
=J4fC
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to