[Freeipa-users] MultiHomed Server SSH login issue
Rob Crittenden
rcritten at redhat.com
Mon Feb 22 15:48:54 UTC 2010
David Christensen wrote:
> I have my ipa 1.2.2 setup in an environment where my servers have two
> NICs each in a different VLAN.
>
> With the multi NIC setup I have two different DNS names for a single
> host to control which interface is is used when accessing the host e.g.
> host.example.com and host.priv.example.com. The hostname of the server
> is set to host.example.com.
>
> I first configured the ipa-client on the host with the host.example.com
> service principle and all is well; I can login via ssh and
> authentication occurs via kerberos. I then setup another service
> principle with the host.priv.example.com and downloaded the keytab to
> the target server. However when I try to login via ssh I am prompted
> for a password.
>
> Turning on verbose output for ssh and upping the syslog to debug, I came
> across this: Error code krb5 144 which I discovered means "wrong
> principal in request."
>
> Is what I am trying to do, having more then one host/ssh service
> principle for a single host that is multihomed?
>
> If so what is causing the error code 144 when I can see that in my local
> klist the ticket for the host.priv.example.com is present?
How did you add the new host principal to /etc/krb5.conf? Can you run:
klist -kt /etc/krb5.keytab?
I suspect you overwrite the host principal for host.example.com.
rob
More information about the Freeipa-users
mailing list