> When I check the host certificate I see a ca-error saying it cannot find > a suitable key. > > # ipa-getcert list > > Number of certificates and requests being tracked: 1. > Request ID '20130719035440': > status: CA_UNCONFIGURED > ca-error: Error setting up ccache for local "host" service using default > keytab: Keytab contains no suitable keys for host/det-webdl01@. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS > Certificate DB' > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes >
What is the version of ipa-server , is the above error on ipa client , if so what is the version of ipa-client Both client and server are version 3.0; the error is on the client There was similar bug in earlier versions, I would suggest you to update the ipa server and clients to ipa-3.0 Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443 I have double checked to see if the workaround applies after the bug fix, it does not > When I check my keytab > # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example....@example.com > No error > If I list my keytab, > > # klist -kt /etc/krb5.keytab > > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 2 07/18/13 13:14:06 host/det-webdl01.sub.example....@example.com > 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com > 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com > 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com > 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com > 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com > 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com > 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com > > My /etc/krb5.conf file looks like: > > [libdefaults] > default_keytab_name = FILE:/etc/krb5.keytab > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > kdc = det-ldmpl01.sub.example.com:88 > master_kdc = det-ldmpl01.sub.example.com:88 > admin_server = det-ldmpl01.sub.example.com:749 > default_domain = example.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > .sub.example.com = EXAMPLE.COM > sub.example.com = EXAMPLE.COM > > It seems the error from ipa-getcert list shows: > > ca-error: Error setting up ccache for local "host" service using default > keytab: Keytab contains no suitable keys for host/det-webdl01@. > > where it is trunking the hostname and not including the realm name after > @ seems to be the problem, but I cannot figure out why. If I run > `hostname` on this host it prints det-webdl01.sub.example.com. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > - -- Regards M.R.Niranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHo0soACgkQLu3FX2BHx8dl4gCaAp6QG9fSN5Op6f7V4cb05Tc0 MtQAnR0vhh7kPNZ/GTmdYzYacDgsE97m =J4fC -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users