On Wed, 2011-12-07 at 23:00 +0100, Natxo Asenjo wrote: > hi, > > for 'historical' reasons, I have a working dns zone in my lan, say > example.com. In this zone, I have delegated an ipa.example.com zone > for ipa. > > I have setup freeipa (homelab, SL 6.1 with version > ipa-server-2.0.0-23.el6.i686) and it works, I have a server and a > client (kdc.ipa.example.com and ipaclient01.ipa.example.com). > > >From a laptop (not member of the ipa realm) I kinit to this realm > > > $ klist > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: u...@ipa.example.com > > Valid starting Expires Service principal > 12/07/11 22:24:17 12/08/11 22:24:17 krbtgt/ipa.example....@ipa.example.com > renew until 12/14/11 22:24:17 > 12/07/11 22:24:43 12/08/11 22:24:17 > HTTP/kdc.ipa.example.com...@ipa.example.com > renew until 12/14/11 22:24:17 > 12/07/11 22:27:28 12/08/11 22:24:17 > host/kdc.ipa.example.com...@ipa.example.com > renew until 12/14/11 22:24:17 > > As you see, I could go on the web ui and login from ssh. > > When logging in the ipaclient01, I get prompted to enter a password > and the error is clear when getting verbose output from slogin: > > $ slogin -v user@ipaclient01 > ....... > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > Server krbtgt/example....@ipa.example.com not found in Kerberos database > > debug1: Unspecified GSS failure. Minor code may provide more information > Server krbtgt/example....@ipa.example.com not found in Kerberos database > > If I login using a fqdn instead of the simple one, then it works. The > funny thing is, I can use the simple dns name to login the kdc server. > Why?
Not sure why it work on your kdc, perhaps you have entries in /etc/hosts that resolves it first. > I use both the example.com as the ipa.example.com in the laptop's > search field in /etc/resolv.conf, by the way. This is the issue. Your client is trying to use the name ipaclient01.example.com and seeing it is not in the ipa.example.com your krb libs are trying to search for a trsuted realm named 'EXAMPLE.COM' whic does not exist of course. Using the fqdn there is no ambiguity and therefore your krb libs know what is the full name an the principal they should look for. > Another question: why is it not possible to add simple hostnames as a > service principal? In theory you could, and turning off canonicalization completely you would be able to get a ticket. But in general a FQDN name is needed to connect to another host if you do not have a specific search domain. A simple host name would be ambiguous, how do you know which ticket to fetch if you have both www.example.com and www.ipa.example.com and want to do kerb auth against one or the other server? Clearly the HTTP/w...@ipa.example.com principal can only be used by one of them while a FQDN instead makes it pretty unambiguous in all cases. Also a FQDN is sometimes used because there are historically protocols where the name of the server is not know directly, but only through a PTR record which is resolved into a FQDN name. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users