On 07/22/2013 04:26 PM, Rivet, Matt wrote:
>
>> Does anyone know why certmonger is looking for a keytab for 
>> host/det-webdl01@. instead of 
>> host/host/det-webdl01.sub.example....@example.com?
>
> In order to authenticate to the IPA server, the client software needs
> credentials.  In order to obtain those credentials, it needs to figure
> out the client system's principal name.  The function it uses to do this
> derives that principal name by doing a lookup to discover the client
> host's canonical name, and in this case that appears to be returning the
> shorter name.
>
> I'd check the result of running 'getent hosts `hostname`', and if
> /etc/hosts has an entry for the hostname that lists the short version
> first.
>
> HTH,
>
> Nalin
>
>
> /etc/hosts has both sort and FQDN.  I removed the sort and and resubmitted 
> the certificate.  That resolved my issue.  should I completely remove the 
> short name or is there a way to work around this?
>

/etc/hosts can have the short form, it just need to be specified _after_ the
FQDN one, i.e.:

10.0.0.1  ipa.example.com ipa

This works! thanks - I realized this after I checked out the ipa-server config.

HTH,
Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to