I've been searching and I know it's been answered before but I can't find it.

I have UNIX.DOMAIN.COM as my IPA realm.

I have some hosts that sit on (in dns) domain.com (they are not part
of any other Kerberos realms.)

I'm unable to currently change the domain names on these boxes.

In krb5.conf I have the mappings:

domain.com = UNIX.DOMAIN.COM
.domain.com = UNIX.DOMAIN.COM

I can do a kinit admin from the client machine and get a ticket.

I'm unable to authenticate via ssh to the client machine (with the user admin.)

I'm able to "su" to the user, so we're talking to ldap and kerberos.

I have the GSSAPI options set in sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

But, in the syslog I see:

Miscellaneous failure\nNo principal in keytab matches desired name\n

I'm sure this is because I generated the keytab for
"host.unix.domain.com" instead of "host.domain.com" -- but I don't
know how to accomplish the second one.

I may be on the wrong track here.  Every time I think I understand
this I get hit with something that shows me that I'm still clueless.

A pointer to a previous discussion on this would be sufficient, I think.



The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

Freeipa-users mailing list

Reply via email to