Re: [Freeipa-users] authenticate with base domain name?

2013-08-01 Thread Sumit Bose
On Wed, Jul 31, 2013 at 03:03:04PM -0500, KodaK wrote:
 On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
  On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
 
  On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
   On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
  
   
   
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
   
 I think that's the issue. You have to make sure that host.domain.com 
 has
   
 a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
   
 setup must be correct so the IPA DNS can forward the request to the
   
 right server. Then you can call 'ipa host-add host.domain.com' which
   
 will create a host entry with the principal
   
 host/host.domain@unix.domain.com. Now you can call ipa-getkeytab 
 and
   
 transfer the new keytab to host.domain.com.
   
Ok, I'm dumbfounded (again.)
   
I've removed the old host from IPA:
   
xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
   
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
   
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/session/xml'
   
ipa: ERROR: sla400q1.unix.domain.com: host not found
   
And I added the new host:
   
[xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
   
ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
   
ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/xml'
   
 Host name: sla400q1.domain.com
   
 Principal name: host/sla400q1.domain@unix.domain.com
   
 Password: False
   
  Keytab: True
   
 Managed by: sla400q1.domain.com
   
I generated the keytab:
   
[xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully 
retrieved
and stored in: /tmp/sla400q1.keytab
   
[xxx@slpidml01 ~]$
   
Then I copied that keytab to the host and put it in 
/etc/krb5/krb5.keytab
   
But, when I list the principals in the keytab:
   
sla400q1:/var/adm /usr/krb5/bin/klist -k -e
   
Keytab name:  FILE:/etc/krb5/krb5.keytab
   
KVNO Principal
   
 -
   
   1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode 
with
96-bit SHA-1 HMAC)
   
  1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode 
with
96-bit SHA-1 HMAC)
   
  1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
   
  1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with 
HMAC/md5)
   
  2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode 
with
96-bit SHA-1 HMAC)
   
  2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode 
with
96-bit SHA-1 HMAC)
   
  2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
with HMAC/sha1)
   
  2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with 
HMAC/md5)
   
  1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   
  1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   
  1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
   
  1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
   
  2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   
  2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   
  2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
   
  2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
   
  3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   
  3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   
  3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
   
  3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
   
  4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   
  4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   
  4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
   
  4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
   
  5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   
  5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   
  5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)
   
  5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
   
  6 

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Tue, Jul 30, 2013 at 03:01:18PM -0500, KodaK wrote:
 Ok, so, yeah -- my first question stands.  This works when it falls
 back to LDAP, but it does not honor a kerberos ticket.  Is there a way
 to do that in the same circumstances?
 
 Thanks again,
 
 --Jason
 
 On Tue, Jul 30, 2013 at 2:58 PM, KodaK sako...@gmail.com wrote:
  Nevermind, AIX problem (surprise, surprise!)
 
  Since it's half-kerberized at this point (the default is system auth,
  not kerb/ldap) it failed.
 
  I had to create entries in /etc/security/user for the users I wanted
  to test with and explicitly state that I wanted them to log on via
  krb5/ldap.
 
  --Jason
 
  On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote:
  I've been searching and I know it's been answered before but I can't find 
  it.
 
  I have UNIX.DOMAIN.COM as my IPA realm.
 
  I have some hosts that sit on (in dns) domain.com (they are not part
  of any other Kerberos realms.)
 
  I'm unable to currently change the domain names on these boxes.
 
  In krb5.conf I have the mappings:
 
  domain.com = UNIX.DOMAIN.COM
  .domain.com = UNIX.DOMAIN.COM
 
  I can do a kinit admin from the client machine and get a ticket.
 
  I'm unable to authenticate via ssh to the client machine (with the user 
  admin.)
 
  I'm able to su to the user, so we're talking to ldap and kerberos.
 
  I have the GSSAPI options set in sshd_config:
 
  GSSAPIAuthentication yes
  GSSAPICleanupCredentials yes
 
  But, in the syslog I see:
 
  Miscellaneous failure\nNo principal in keytab matches desired name\n
 
  I'm sure this is because I generated the keytab for
  host.unix.domain.com instead of host.domain.com -- but I don't
  know how to accomplish the second one.

I think that's the issue. You have to make sure that host.domain.com has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup must be correct so the IPA DNS can forward the request to the
right server. Then you can call 'ipa host-add host.domain.com' which
will create a host entry with the principal
host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and
transfer the new keytab to host.domain.com.

HTH

bye,
Sumit

 
  I may be on the wrong track here.  Every time I think I understand
  this I get hit with something that shows me that I'm still clueless.
 
  A pointer to a previous discussion on this would be sufficient, I think.
 
  Thanks,
 
  --Jason
 
  --
  The government is going to read our mail anyway, might as well make it
  tough for them.  GPG Public key ID:  B6A1A7C6
 
 
 
  --
  The government is going to read our mail anyway, might as well make it
  tough for them.  GPG Public key ID:  B6A1A7C6
 
 
 
 -- 
 The government is going to read our mail anyway, might as well make it
 tough for them.  GPG Public key ID:  B6A1A7C6
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread KodaK
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:

 I think that's the issue. You have to make sure that host.domain.com has

 a DNS entry somewhere, it does not have to be the IPA DNS but the DNS

 setup must be correct so the IPA DNS can forward the request to the

 right server. Then you can call 'ipa host-add host.domain.com' which

 will create a host entry with the principal

 host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and

 transfer the new keytab to host.domain.com.

Ok, I'm dumbfounded (again.)

I've removed the old host from IPA:

xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com

ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml

ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/session/xml'

ipa: ERROR: sla400q1.unix.domain.com: host not found

And I added the new host:

[xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com

ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml

ipa: INFO: Forwarding 'host_show' to server u'
https://slpidml01.unix.domain.com/ipa/xml'

 Host name: sla400q1.domain.com

 Principal name: host/sla400q1.domain@unix.domain.com

 Password: False

 Keytab: True

 Managed by: sla400q1.domain.com

I generated the keytab:

[xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
and stored in: /tmp/sla400q1.keytab

[xxx@slpidml01 ~]$

Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab

But, when I list the principals in the keytab:

sla400q1:/var/adm /usr/krb5/bin/klist -k -e

Keytab name:  FILE:/etc/krb5/krb5.keytab

KVNO Principal

 -

  1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)

  1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)

  1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)

  2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
96-bit SHA-1 HMAC)

  2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
96-bit SHA-1 HMAC)

  2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)

  1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

  2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

  3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

  4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

  5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

  6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
SHA-1 HMAC)

  6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
SHA-1 HMAC)

  6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
HMAC/sha1)

  6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

Where are the sla400q1.unix.domain.com coming from? I've done this over and
over, I can't find

any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never
had any

unix.comain.com references.

In addition, I’m still getting the error:

Miscellaneous failure\nNo principal in keytab matches desired name\n

in the logs, even though:

sla400q1:/var/adm grep sla400q1 /etc/hosts

192.168.42.108  sla400q1-bk

#10.200.5.48sla400q1.domain.com sla400q1

10.200.5.48 sla400q1.domain.com sla400q1

sla400q1:/var/adm hostname

sla400q1.domain.com

sla400q1:/var/adm domainname


Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread KodaK
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:



 On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:

  I think that's the issue. You have to make sure that host.domain.com has

  a DNS entry somewhere, it does not have to be the IPA DNS but the DNS

  setup must be correct so the IPA DNS can forward the request to the

  right server. Then you can call 'ipa host-add host.domain.com' which

  will create a host entry with the principal

  host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and

  transfer the new keytab to host.domain.com.

 Ok, I'm dumbfounded (again.)

 I've removed the old host from IPA:

 xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com

 ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml

 ipa: INFO: Forwarding 'host_show' to server u'
 https://slpidml01.unix.domain.com/ipa/session/xml'

 ipa: ERROR: sla400q1.unix.domain.com: host not found

 And I added the new host:

 [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com

 ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml

 ipa: INFO: Forwarding 'host_show' to server u'
 https://slpidml01.unix.domain.com/ipa/xml'

  Host name: sla400q1.domain.com

  Principal name: host/sla400q1.domain@unix.domain.com

  Password: False

   Keytab: True

  Managed by: sla400q1.domain.com

 I generated the keytab:

 [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
 sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
 and stored in: /tmp/sla400q1.keytab

 [xxx@slpidml01 ~]$

 Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab

 But, when I list the principals in the keytab:

 sla400q1:/var/adm /usr/krb5/bin/klist -k -e

 Keytab name:  FILE:/etc/krb5/krb5.keytab

 KVNO Principal

  -

1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
 with HMAC/sha1)

   1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)

   2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
 with HMAC/sha1)

   2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)

   1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)

   1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

   2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)

   2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

   3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)

   3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

   4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)

   4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

   5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)

   5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

   6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)

   6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)

   6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)

   6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)

 Where are the sla400q1.unix.domain.com coming from? I've done this over
 and over, I can't find

 any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
 never had any

 unix.comain.com references.

 In addition, I’m still getting the error:

 Miscellaneous failure\nNo principal in keytab matches desired name\n

 in the logs, even though:

 sla400q1:/var/adm grep sla400q1 /etc/hosts

 192.168.42.108  sla400q1-bk

 

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Wed, Jul 31, 2013 at 11:09:43AM -0500, KodaK wrote:
 On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
 
  I think that's the issue. You have to make sure that host.domain.com has
 
  a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
 
  setup must be correct so the IPA DNS can forward the request to the
 
  right server. Then you can call 'ipa host-add host.domain.com' which
 
  will create a host entry with the principal
 
  host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and
 
  transfer the new keytab to host.domain.com.
 
 Ok, I'm dumbfounded (again.)
 
 I've removed the old host from IPA:
 
 xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
 
 ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
 
 ipa: INFO: Forwarding 'host_show' to server u'
 https://slpidml01.unix.domain.com/ipa/session/xml'
 
 ipa: ERROR: sla400q1.unix.domain.com: host not found
 
 And I added the new host:
 
 [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
 
 ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
 
 ipa: INFO: Forwarding 'host_show' to server u'
 https://slpidml01.unix.domain.com/ipa/xml'
 
  Host name: sla400q1.domain.com
 
  Principal name: host/sla400q1.domain@unix.domain.com
 
  Password: False
 
  Keytab: True
 
  Managed by: sla400q1.domain.com
 
 I generated the keytab:
 
 [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
 sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
 and stored in: /tmp/sla400q1.keytab

does /tmp/sla400q1.keytab still exists from your previous attempts?
ipa-getkeytab might just add the news keys if the file is not empty?

bye,
Sumit

 
 [xxx@slpidml01 ~]$
 
 Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
 
 But, when I list the principals in the keytab:
 
 sla400q1:/var/adm /usr/krb5/bin/klist -k -e
 
 Keytab name:  FILE:/etc/krb5/krb5.keytab
 
 KVNO Principal
 
  -
 
   1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)
 
   1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)
 
   1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
 
   2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
 96-bit SHA-1 HMAC)
 
   2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
 96-bit SHA-1 HMAC)
 
   2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
 
   1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
 SHA-1 HMAC)
 
   1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
 SHA-1 HMAC)
 
   1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
   2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
 SHA-1 HMAC)
 
   2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
 SHA-1 HMAC)
 
   2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
   3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
 SHA-1 HMAC)
 
   3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
 SHA-1 HMAC)
 
   3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
   4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
 SHA-1 HMAC)
 
   4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
 SHA-1 HMAC)
 
   4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
   5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
 SHA-1 HMAC)
 
   5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
 SHA-1 HMAC)
 
   5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
   6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with 96-bit
 SHA-1 HMAC)
 
   6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with 96-bit
 SHA-1 HMAC)
 
   6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
 HMAC/sha1)
 
   6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
 Where are the sla400q1.unix.domain.com coming from? I've done this over and
 over, I can't find
 
 any reference to sla400q1.unix.domain.com in DNS in IPA, and the box never
 had any
 
 unix.comain.com references.
 
 In addition, 

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
 On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
 
 
 
  On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
 
   I think that's the issue. You have to make sure that host.domain.com has
 
   a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
 
   setup must be correct so the IPA DNS can forward the request to the
 
   right server. Then you can call 'ipa host-add host.domain.com' which
 
   will create a host entry with the principal
 
   host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and
 
   transfer the new keytab to host.domain.com.
 
  Ok, I'm dumbfounded (again.)
 
  I've removed the old host from IPA:
 
  xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
 
  ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
 
  ipa: INFO: Forwarding 'host_show' to server u'
  https://slpidml01.unix.domain.com/ipa/session/xml'
 
  ipa: ERROR: sla400q1.unix.domain.com: host not found
 
  And I added the new host:
 
  [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
 
  ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
 
  ipa: INFO: Forwarding 'host_show' to server u'
  https://slpidml01.unix.domain.com/ipa/xml'
 
   Host name: sla400q1.domain.com
 
   Principal name: host/sla400q1.domain@unix.domain.com
 
   Password: False
 
Keytab: True
 
   Managed by: sla400q1.domain.com
 
  I generated the keytab:
 
  [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
  sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
  and stored in: /tmp/sla400q1.keytab
 
  [xxx@slpidml01 ~]$
 
  Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
 
  But, when I list the principals in the keytab:
 
  sla400q1:/var/adm /usr/krb5/bin/klist -k -e
 
  Keytab name:  FILE:/etc/krb5/krb5.keytab
 
  KVNO Principal
 
   -
 
 1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
  with HMAC/sha1)
 
1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
 
2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
  with HMAC/sha1)
 
2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
 
1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
  HMAC/sha1)
 
1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
  HMAC/sha1)
 
2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
  HMAC/sha1)
 
3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
  HMAC/sha1)
 
4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
  HMAC/sha1)
 
5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
  96-bit SHA-1 HMAC)
 
6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
  96-bit SHA-1 HMAC)
 
6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
  HMAC/sha1)
 
6 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
 
  Where are the sla400q1.unix.domain.com coming from? I've done this over
  and over, I can't find
 
  any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
  never had any
 
  unix.comain.com 

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread KodaK
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:

 On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
  On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
 
  
  
   On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
  
I think that's the issue. You have to make sure that host.domain.com has
  
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
  
setup must be correct so the IPA DNS can forward the request to the
  
right server. Then you can call 'ipa host-add host.domain.com' which
  
will create a host entry with the principal
  
host/host.domain@unix.domain.com. Now you can call ipa-getkeytab and
  
transfer the new keytab to host.domain.com.
  
   Ok, I'm dumbfounded (again.)
  
   I've removed the old host from IPA:
  
   xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
  
   ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
  
   ipa: INFO: Forwarding 'host_show' to server u'
   https://slpidml01.unix.domain.com/ipa/session/xml'
  
   ipa: ERROR: sla400q1.unix.domain.com: host not found
  
   And I added the new host:
  
   [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
  
   ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
  
   ipa: INFO: Forwarding 'host_show' to server u'
   https://slpidml01.unix.domain.com/ipa/xml'
  
Host name: sla400q1.domain.com
  
Principal name: host/sla400q1.domain@unix.domain.com
  
Password: False
  
 Keytab: True
  
Managed by: sla400q1.domain.com
  
   I generated the keytab:
  
   [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
   sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
   and stored in: /tmp/sla400q1.keytab
  
   [xxx@slpidml01 ~]$
  
   Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
  
   But, when I list the principals in the keytab:
  
   sla400q1:/var/adm /usr/krb5/bin/klist -k -e
  
   Keytab name:  FILE:/etc/krb5/krb5.keytab
  
   KVNO Principal
  
    -
  
  1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
   with HMAC/sha1)
  
 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
   with HMAC/sha1)
  
 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 6 host/sla400q1.domain@unix.domain.com (ArcFour with 

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread KodaK
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
 On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:

 On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
  On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
 
  
  
   On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
  
I think that's the issue. You have to make sure that host.domain.com 
has
  
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
  
setup must be correct so the IPA DNS can forward the request to the
  
right server. Then you can call 'ipa host-add host.domain.com' which
  
will create a host entry with the principal
  
host/host.domain@unix.domain.com. Now you can call ipa-getkeytab 
and
  
transfer the new keytab to host.domain.com.
  
   Ok, I'm dumbfounded (again.)
  
   I've removed the old host from IPA:
  
   xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
  
   ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
  
   ipa: INFO: Forwarding 'host_show' to server u'
   https://slpidml01.unix.domain.com/ipa/session/xml'
  
   ipa: ERROR: sla400q1.unix.domain.com: host not found
  
   And I added the new host:
  
   [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
  
   ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
  
   ipa: INFO: Forwarding 'host_show' to server u'
   https://slpidml01.unix.domain.com/ipa/xml'
  
Host name: sla400q1.domain.com
  
Principal name: host/sla400q1.domain@unix.domain.com
  
Password: False
  
 Keytab: True
  
Managed by: sla400q1.domain.com
  
   I generated the keytab:
  
   [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
   sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
   and stored in: /tmp/sla400q1.keytab
  
   [xxx@slpidml01 ~]$
  
   Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
  
   But, when I list the principals in the keytab:
  
   sla400q1:/var/adm /usr/krb5/bin/klist -k -e
  
   Keytab name:  FILE:/etc/krb5/krb5.keytab
  
   KVNO Principal
  
    -
  
  1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
   with HMAC/sha1)
  
 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
   with HMAC/sha1)
  
 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Wed, Jul 31, 2013 at 01:57:50PM -0500, KodaK wrote:
 On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
  On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
 
  On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
   On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
  
   
   
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
   
 
 Unfortunately, that made no difference:
 
 sla400q1:/var/adm nslookup 10.200.5.48
 Server: 10.200.2.24
 Address:10.200.2.24#53
 
 48.5.200.10.in-addr.arpaname = sla400q1.domain.com.
 
 
 Jul 31 14:55:09 sla400q1 auth|security:debug sshd[25624644]: debug1:
 Miscellaneous failure\nNo principal in keytab matches desired name\n
 
 It sure would be nice if the desired name was printed along with that
 error message.

Can you increase the debug level of sshd any further? Maybe the name is
listen then? Are you sure sshd is expecting the keytab in
/etc/krb5/krb5.keytab on AIX?

bye,
Sumit
 
 -- 
 The government is going to read our mail anyway, might as well make it
 tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread KodaK
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
 On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:

 On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
  On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
 
  
  
   On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
  
I think that's the issue. You have to make sure that host.domain.com 
has
  
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
  
setup must be correct so the IPA DNS can forward the request to the
  
right server. Then you can call 'ipa host-add host.domain.com' which
  
will create a host entry with the principal
  
host/host.domain@unix.domain.com. Now you can call ipa-getkeytab 
and
  
transfer the new keytab to host.domain.com.
  
   Ok, I'm dumbfounded (again.)
  
   I've removed the old host from IPA:
  
   xxx@slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
  
   ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
  
   ipa: INFO: Forwarding 'host_show' to server u'
   https://slpidml01.unix.domain.com/ipa/session/xml'
  
   ipa: ERROR: sla400q1.unix.domain.com: host not found
  
   And I added the new host:
  
   [xxx@slpidml01 ~]$ ipa host-show sla400q1.domain.com
  
   ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
  
   ipa: INFO: Forwarding 'host_show' to server u'
   https://slpidml01.unix.domain.com/ipa/xml'
  
Host name: sla400q1.domain.com
  
Principal name: host/sla400q1.domain@unix.domain.com
  
Password: False
  
 Keytab: True
  
Managed by: sla400q1.domain.com
  
   I generated the keytab:
  
   [xxx@slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
   sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
   and stored in: /tmp/sla400q1.keytab
  
   [xxx@slpidml01 ~]$
  
   Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
  
   But, when I list the principals in the keytab:
  
   sla400q1:/var/adm /usr/krb5/bin/klist -k -e
  
   Keytab name:  FILE:/etc/krb5/krb5.keytab
  
   KVNO Principal
  
    -
  
  1 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
   with HMAC/sha1)
  
 1 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 2 host/sla400q1.unix.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.unix.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.unix.domain@unix.domain.com (Triple DES cbc mode
   with HMAC/sha1)
  
 2 host/sla400q1.unix.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 1 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 1 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 1 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 2 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 2 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 2 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 3 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 3 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 3 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 3 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 4 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 4 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 4 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 4 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 5 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 5 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 5 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   HMAC/sha1)
  
 5 host/sla400q1.domain@unix.domain.com (ArcFour with HMAC/md5)
  
 6 host/sla400q1.domain@unix.domain.com (AES-256 CTS mode with
   96-bit SHA-1 HMAC)
  
 6 host/sla400q1.domain@unix.domain.com (AES-128 CTS mode with
   96-bit SHA-1 HMAC)
  
 6 host/sla400q1.domain@unix.domain.com (Triple DES cbc mode with
   

Re: [Freeipa-users] authenticate with base domain name?

2013-07-30 Thread KodaK
Nevermind, AIX problem (surprise, surprise!)

Since it's half-kerberized at this point (the default is system auth,
not kerb/ldap) it failed.

I had to create entries in /etc/security/user for the users I wanted
to test with and explicitly state that I wanted them to log on via
krb5/ldap.

--Jason

On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote:
 I've been searching and I know it's been answered before but I can't find it.

 I have UNIX.DOMAIN.COM as my IPA realm.

 I have some hosts that sit on (in dns) domain.com (they are not part
 of any other Kerberos realms.)

 I'm unable to currently change the domain names on these boxes.

 In krb5.conf I have the mappings:

 domain.com = UNIX.DOMAIN.COM
 .domain.com = UNIX.DOMAIN.COM

 I can do a kinit admin from the client machine and get a ticket.

 I'm unable to authenticate via ssh to the client machine (with the user 
 admin.)

 I'm able to su to the user, so we're talking to ldap and kerberos.

 I have the GSSAPI options set in sshd_config:

 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes

 But, in the syslog I see:

 Miscellaneous failure\nNo principal in keytab matches desired name\n

 I'm sure this is because I generated the keytab for
 host.unix.domain.com instead of host.domain.com -- but I don't
 know how to accomplish the second one.

 I may be on the wrong track here.  Every time I think I understand
 this I get hit with something that shows me that I'm still clueless.

 A pointer to a previous discussion on this would be sufficient, I think.

 Thanks,

 --Jason

 --
 The government is going to read our mail anyway, might as well make it
 tough for them.  GPG Public key ID:  B6A1A7C6



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] authenticate with base domain name?

2013-07-30 Thread KodaK
Ok, so, yeah -- my first question stands.  This works when it falls
back to LDAP, but it does not honor a kerberos ticket.  Is there a way
to do that in the same circumstances?

Thanks again,

--Jason

On Tue, Jul 30, 2013 at 2:58 PM, KodaK sako...@gmail.com wrote:
 Nevermind, AIX problem (surprise, surprise!)

 Since it's half-kerberized at this point (the default is system auth,
 not kerb/ldap) it failed.

 I had to create entries in /etc/security/user for the users I wanted
 to test with and explicitly state that I wanted them to log on via
 krb5/ldap.

 --Jason

 On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote:
 I've been searching and I know it's been answered before but I can't find it.

 I have UNIX.DOMAIN.COM as my IPA realm.

 I have some hosts that sit on (in dns) domain.com (they are not part
 of any other Kerberos realms.)

 I'm unable to currently change the domain names on these boxes.

 In krb5.conf I have the mappings:

 domain.com = UNIX.DOMAIN.COM
 .domain.com = UNIX.DOMAIN.COM

 I can do a kinit admin from the client machine and get a ticket.

 I'm unable to authenticate via ssh to the client machine (with the user 
 admin.)

 I'm able to su to the user, so we're talking to ldap and kerberos.

 I have the GSSAPI options set in sshd_config:

 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes

 But, in the syslog I see:

 Miscellaneous failure\nNo principal in keytab matches desired name\n

 I'm sure this is because I generated the keytab for
 host.unix.domain.com instead of host.domain.com -- but I don't
 know how to accomplish the second one.

 I may be on the wrong track here.  Every time I think I understand
 this I get hit with something that shows me that I'm still clueless.

 A pointer to a previous discussion on this would be sufficient, I think.

 Thanks,

 --Jason

 --
 The government is going to read our mail anyway, might as well make it
 tough for them.  GPG Public key ID:  B6A1A7C6



 --
 The government is going to read our mail anyway, might as well make it
 tough for them.  GPG Public key ID:  B6A1A7C6



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users