After we installed a new set of IPA servers for prod, and joined AD using 
username and password to have AD create a correct suffix routing everythin 
seems to work, and the suffix routing is created correctly on AD. 

However, trying to SSH from Windows using Putty and kerberos fails: 

Putty log shows: 
Event Log: GSSAPI authentication initialisation failed 
Event Log: No authority could be contacted for authentication.The domain name 
of the authenticating party could be wrong, the domain could be unreachable, or 
there might have been a trust relationship failure. 

DNS is on AD (manually added, and IPA have no DNS installed. 

Kerberos DNS is correct: 

# dig _kerberos._tcp.lx.dr.dk SRV 
.... 
;; ANSWER SECTION: 
_kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. 
_kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. 

;; ADDITIONAL SECTION: 
ipa01.lx.dr.dk. 3600 IN A x.y.z.135 
ipa02.lx.dr.dk. 3600 IN A x.y.z.134 


# dig _kerberos._tcp.dc._msdcs.lx.dr.dk SRV 
... 
;; ANSWER SECTION: 
_kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. 
_kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. 

;; ADDITIONAL SECTION: 
ipa02.lx.dr.dk. 3600 IN A x.y.z.134 
ipa01.lx.dr.dk. 3600 IN A x.y.z.135 


Klist on Windows shows I have a TGT for the LX domain (but only a TGT), sorry 
for the danish. 

#0> Klient: drextrha @ NET.DR.DK 
Server: krbtgt/LX.DR.DK @ PLACE.DR.DK 
KerbTicket-krypteringstype: AES-256-CTS-HMAC-SHA1-96 
Billetflag 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate 
name_canonicalize 
Starttidspunkt: 9/21/2016 14:58:36 (lokal) 
Sluttidspunkt: 9/21/2016 23:16:09 (lokal) 
Fornyelsestidspunkt: 9/28/2016 13:16:09 (lokal) 
Sessionsn√łgletype: AES-256-CTS-HMAC-SHA1-96 


I can't see whats wrong and can't seem to find out whats wrong? 
Suggestions welcome :-) 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to