[Freeipa-users] dns delegated zone issue
Natxo Asenjo
natxo.asenjo at gmail.com
Wed Dec 7 22:00:19 UTC 2011
hi,
for 'historical' reasons, I have a working dns zone in my lan, say
example.com. In this zone, I have delegated an ipa.example.com zone
for ipa.
I have setup freeipa (homelab, SL 6.1 with version
ipa-server-2.0.0-23.el6.i686) and it works, I have a server and a
client (kdc.ipa.example.com and ipaclient01.ipa.example.com).
>From a laptop (not member of the ipa realm) I kinit to this realm
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: user at IPA.EXAMPLE.COM
Valid starting Expires Service principal
12/07/11 22:24:17 12/08/11 22:24:17 krbtgt/IPA.EXAMPLE.COM at IPA.EXAMPLE.COM
renew until 12/14/11 22:24:17
12/07/11 22:24:43 12/08/11 22:24:17
HTTP/kdc.ipa.example.com.nx at IPA.EXAMPLE.COM
renew until 12/14/11 22:24:17
12/07/11 22:27:28 12/08/11 22:24:17
host/kdc.ipa.example.com.nx at IPA.EXAMPLE.COM
renew until 12/14/11 22:24:17
As you see, I could go on the web ui and login from ssh.
When logging in the ipaclient01, I get prompted to enter a password
and the error is clear when getting verbose output from slogin:
$ slogin -v user at ipaclient01
.......
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server krbtgt/EXAMPLE.COM at IPA.EXAMPLE.COM not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server krbtgt/EXAMPLE.COM at IPA.EXAMPLE.COM not found in Kerberos database
If I login using a fqdn instead of the simple one, then it works. The
funny thing is, I can use the simple dns name to login the kdc server.
Why?
I use both the example.com as the ipa.example.com in the laptop's
search field in /etc/resolv.conf, by the way.
Another question: why is it not possible to add simple hostnames as a
service principal?
TIA, great stuff so far :-)
--
Groeten,
natxo
More information about the Freeipa-users
mailing list