On Mon, Sep 26, 2016 at 09:25:46AM +0200, Troels Hansen wrote: > After we installed a new set of IPA servers for prod, and joined AD using > username and password to have AD create a correct suffix routing everythin > seems to work, and the suffix routing is created correctly on AD. > > However, trying to SSH from Windows using Putty and kerberos fails: > > Putty log shows: > Event Log: GSSAPI authentication initialisation failed > Event Log: No authority could be contacted for authentication.The domain name > of the authenticating party could be wrong, the domain could be unreachable, > or there might have been a trust relationship failure. > > DNS is on AD (manually added, and IPA have no DNS installed. > > Kerberos DNS is correct: > > # dig _kerberos._tcp.lx.dr.dk SRV > .... > ;; ANSWER SECTION: > _kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. > _kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. > > ;; ADDITIONAL SECTION: > ipa01.lx.dr.dk. 3600 IN A x.y.z.135 > ipa02.lx.dr.dk. 3600 IN A x.y.z.134 > > > # dig _kerberos._tcp.dc._msdcs.lx.dr.dk SRV > ... > ;; ANSWER SECTION: > _kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. > _kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. > > ;; ADDITIONAL SECTION: > ipa02.lx.dr.dk. 3600 IN A x.y.z.134 > ipa01.lx.dr.dk. 3600 IN A x.y.z.135 > > > Klist on Windows shows I have a TGT for the LX domain (but only a TGT), sorry > for the danish. > > #0> Klient: drextrha @ NET.DR.DK > Server: krbtgt/LX.DR.DK @ PLACE.DR.DK > KerbTicket-krypteringstype: AES-256-CTS-HMAC-SHA1-96 > Billetflag 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate > name_canonicalize > Starttidspunkt: 9/21/2016 14:58:36 (lokal) > Sluttidspunkt: 9/21/2016 23:16:09 (lokal) > Fornyelsestidspunkt: 9/28/2016 13:16:09 (lokal) > Sessionsnøgletype: AES-256-CTS-HMAC-SHA1-96 > > > I can't see whats wrong and can't seem to find out whats wrong? > Suggestions welcome :-)
Have you checked the firewalls? AD clients must be able to talk to the KDC port (88 udp and tcp) on the IPA servers to get service tickets for IPA hosts. HTH bye, Sumit > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
