On Tue, Jul 30, 2013 at 03:01:18PM -0500, KodaK wrote: > Ok, so, yeah -- my first question stands. This works when it falls > back to LDAP, but it does not honor a kerberos ticket. Is there a way > to do that in the same circumstances? > > Thanks again, > > --Jason > > On Tue, Jul 30, 2013 at 2:58 PM, KodaK <sako...@gmail.com> wrote: > > Nevermind, AIX problem (surprise, surprise!) > > > > Since it's half-kerberized at this point (the default is system auth, > > not kerb/ldap) it failed. > > > > I had to create entries in /etc/security/user for the users I wanted > > to test with and explicitly state that I wanted them to log on via > > krb5/ldap. > > > > --Jason > > > > On Tue, Jul 30, 2013 at 2:41 PM, KodaK <sako...@gmail.com> wrote: > >> I've been searching and I know it's been answered before but I can't find > >> it. > >> > >> I have UNIX.DOMAIN.COM as my IPA realm. > >> > >> I have some hosts that sit on (in dns) domain.com (they are not part > >> of any other Kerberos realms.) > >> > >> I'm unable to currently change the domain names on these boxes. > >> > >> In krb5.conf I have the mappings: > >> > >> domain.com = UNIX.DOMAIN.COM > >> .domain.com = UNIX.DOMAIN.COM > >> > >> I can do a kinit admin from the client machine and get a ticket. > >> > >> I'm unable to authenticate via ssh to the client machine (with the user > >> admin.) > >> > >> I'm able to "su" to the user, so we're talking to ldap and kerberos. > >> > >> I have the GSSAPI options set in sshd_config: > >> > >> GSSAPIAuthentication yes > >> GSSAPICleanupCredentials yes > >> > >> But, in the syslog I see: > >> > >> Miscellaneous failure\nNo principal in keytab matches desired name\n > >> > >> I'm sure this is because I generated the keytab for > >> "host.unix.domain.com" instead of "host.domain.com" -- but I don't > >> know how to accomplish the second one.
I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must be correct so the IPA DNS can forward the request to the right server. Then you can call 'ipa host-add host.domain.com' which will create a host entry with the principal host/host.domain....@unix.domain.com. Now you can call ipa-getkeytab and transfer the new keytab to host.domain.com. HTH bye, Sumit > >> > >> I may be on the wrong track here. Every time I think I understand > >> this I get hit with something that shows me that I'm still clueless. > >> > >> A pointer to a previous discussion on this would be sufficient, I think. > >> > >> Thanks, > >> > >> --Jason > >> > >> -- > >> The government is going to read our mail anyway, might as well make it > >> tough for them. GPG Public key ID: B6A1A7C6 > > > > > > > > -- > > The government is going to read our mail anyway, might as well make it > > tough for them. GPG Public key ID: B6A1A7C6 > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users