On Tue, 2015-03-31 at 19:36 +0200, Matt . wrote: > OK, but as I say, without the loadbalancer, same domain it works. > All the more reason to capture the session and review it in wireshark.
> My IPA server also sees the client name and ptr as I do nat. > > So you create a keytab for your host you are doing the commands from ? all of my hosts get a host principal and have it put in /etc/krb5.keytab. i run kadmin to generate them. freeipa likely has utilities for this, but am not sure what they are. > I was using a user keytab and run my commands as that user, that works > to ipa-01 > > It's getting something more clear. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project