[Freeipa-users] authenticate with base domain name?
Sumit Bose
sbose at redhat.com
Wed Jul 31 11:56:52 UTC 2013
On Tue, Jul 30, 2013 at 03:01:18PM -0500, KodaK wrote:
> Ok, so, yeah -- my first question stands. This works when it falls
> back to LDAP, but it does not honor a kerberos ticket. Is there a way
> to do that in the same circumstances?
>
> Thanks again,
>
> --Jason
>
> On Tue, Jul 30, 2013 at 2:58 PM, KodaK <sakodak at gmail.com> wrote:
> > Nevermind, AIX problem (surprise, surprise!)
> >
> > Since it's half-kerberized at this point (the default is system auth,
> > not kerb/ldap) it failed.
> >
> > I had to create entries in /etc/security/user for the users I wanted
> > to test with and explicitly state that I wanted them to log on via
> > krb5/ldap.
> >
> > --Jason
> >
> > On Tue, Jul 30, 2013 at 2:41 PM, KodaK <sakodak at gmail.com> wrote:
> >> I've been searching and I know it's been answered before but I can't find it.
> >>
> >> I have UNIX.DOMAIN.COM as my IPA realm.
> >>
> >> I have some hosts that sit on (in dns) domain.com (they are not part
> >> of any other Kerberos realms.)
> >>
> >> I'm unable to currently change the domain names on these boxes.
> >>
> >> In krb5.conf I have the mappings:
> >>
> >> domain.com = UNIX.DOMAIN.COM
> >> .domain.com = UNIX.DOMAIN.COM
> >>
> >> I can do a kinit admin from the client machine and get a ticket.
> >>
> >> I'm unable to authenticate via ssh to the client machine (with the user admin.)
> >>
> >> I'm able to "su" to the user, so we're talking to ldap and kerberos.
> >>
> >> I have the GSSAPI options set in sshd_config:
> >>
> >> GSSAPIAuthentication yes
> >> GSSAPICleanupCredentials yes
> >>
> >> But, in the syslog I see:
> >>
> >> Miscellaneous failure\nNo principal in keytab matches desired name\n
> >>
> >> I'm sure this is because I generated the keytab for
> >> "host.unix.domain.com" instead of "host.domain.com" -- but I don't
> >> know how to accomplish the second one.
I think that's the issue. You have to make sure that host.domain.com has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup must be correct so the IPA DNS can forward the request to the
right server. Then you can call 'ipa host-add host.domain.com' which
will create a host entry with the principal
host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
transfer the new keytab to host.domain.com.
HTH
bye,
Sumit
> >>
> >> I may be on the wrong track here. Every time I think I understand
> >> this I get hit with something that shows me that I'm still clueless.
> >>
> >> A pointer to a previous discussion on this would be sufficient, I think.
> >>
> >> Thanks,
> >>
> >> --Jason
> >>
> >> --
> >> The government is going to read our mail anyway, might as well make it
> >> tough for them. GPG Public key ID: B6A1A7C6
> >
> >
> >
> > --
> > The government is going to read our mail anyway, might as well make it
> > tough for them. GPG Public key ID: B6A1A7C6
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list