[Freeipa-users] Host certificate issue problem
Martin Kosek
mkosek at redhat.com
Mon Jul 22 14:33:49 UTC 2013
On 07/22/2013 04:26 PM, Rivet, Matt wrote:
>
>> Does anyone know why certmonger is looking for a keytab for host/det-webdl01 at . instead of host/host/det-webdl01.sub.example.com at EXAMPLE.com?
>
> In order to authenticate to the IPA server, the client software needs
> credentials. In order to obtain those credentials, it needs to figure
> out the client system's principal name. The function it uses to do this
> derives that principal name by doing a lookup to discover the client
> host's canonical name, and in this case that appears to be returning the
> shorter name.
>
> I'd check the result of running 'getent hosts `hostname`', and if
> /etc/hosts has an entry for the hostname that lists the short version
> first.
>
> HTH,
>
> Nalin
>
>
> /etc/hosts has both sort and FQDN. I removed the sort and and resubmitted the certificate. That resolved my issue. should I completely remove the short name or is there a way to work around this?
>
/etc/hosts can have the short form, it just need to be specified _after_ the
FQDN one, i.e.:
10.0.0.1 ipa.example.com ipa
HTH,
Martin
More information about the Freeipa-users
mailing list