[Freeipa-users] authenticate with base domain name?

Sumit Bose sbose at redhat.com
Thu Aug 1 09:44:20 UTC 2013 

On Wed, Jul 31, 2013 at 03:03:04PM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 1:28 PM, KodaK <sakodak at gmail.com> wrote:
> > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose <sbose at redhat.com> wrote:
> >>
> >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
> >> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK <sakodak at gmail.com> wrote:
> >> >
> >> > >
> >> > >
> >> > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose <sbose at redhat.com> wrote:
> >> > >
> >> > > > I think that's the issue. You have to make sure that host.domain.com has
> >> > >
> >> > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
> >> > >
> >> > > > setup must be correct so the IPA DNS can forward the request to the
> >> > >
> >> > > > right server. Then you can call 'ipa host-add host.domain.com' which
> >> > >
> >> > > > will create a host entry with the principal
> >> > >
> >> > > > host/host.domain.com at UNIX.DOMAIN.COM. Now you can call ipa-getkeytab and
> >> > >
> >> > > > transfer the new keytab to host.domain.com.
> >> > >
> >> > > Ok, I'm dumbfounded (again.)
> >> > >
> >> > > I've removed the old host from IPA:
> >> > >
> >> > > xxx at slpidml01 ~]$ ipa host-show sla400q1.unix.domain.com
> >> > >
> >> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/session/xml
> >> > >
> >> > > ipa: INFO: Forwarding 'host_show' to server u'
> >> > > https://slpidml01.unix.domain.com/ipa/session/xml'
> >> > >
> >> > > ipa: ERROR: sla400q1.unix.domain.com: host not found
> >> > >
> >> > > And I added the new host:
> >> > >
> >> > > [xxx at slpidml01 ~]$ ipa host-show sla400q1.domain.com
> >> > >
> >> > > ipa: INFO: trying https://slpidml01.unix.domain.com/ipa/xml
> >> > >
> >> > > ipa: INFO: Forwarding 'host_show' to server u'
> >> > > https://slpidml01.unix.domain.com/ipa/xml'
> >> > >
> >> > >  Host name: sla400q1.domain.com
> >> > >
> >> > >  Principal name: host/sla400q1.domain.com at UNIX.DOMAIN.COM
> >> > >
> >> > >  Password: False
> >> > >
> >> > >   Keytab: True
> >> > >
> >> > >  Managed by: sla400q1.domain.com
> >> > >
> >> > > I generated the keytab:
> >> > >
> >> > > [xxx at slpidml01 ~]$ ipa-getkeytab -s slpidml01.unix.domain.com -p host/
> >> > > sla400q1.domain.com -k /tmp/sla400q1.keytabKeytab successfully retrieved
> >> > > and stored in: /tmp/sla400q1.keytab
> >> > >
> >> > > [xxx at slpidml01 ~]$
> >> > >
> >> > > Then I copied that keytab to the host and put it in /etc/krb5/krb5.keytab
> >> > >
> >> > > But, when I list the principals in the keytab:
> >> > >
> >> > > sla400q1:/var/adm> /usr/krb5/bin/klist -k -e
> >> > >
> >> > > Keytab name:  FILE:/etc/krb5/krb5.keytab
> >> > >
> >> > > KVNO Principal
> >> > >
> >> > > ---- ---------
> >> > >
> >> > >    1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> >> > > with HMAC/sha1)
> >> > >
> >> > >   1 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode
> >> > > with HMAC/sha1)
> >> > >
> >> > >   2 host/sla400q1.unix.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> >> > > HMAC/sha1)
> >> > >
> >> > >   1 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> >> > > HMAC/sha1)
> >> > >
> >> > >   2 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> >> > > HMAC/sha1)
> >> > >
> >> > >   3 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> >> > > HMAC/sha1)
> >> > >
> >> > >   4 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> >> > > HMAC/sha1)
> >> > >
> >> > >   5 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-256 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (AES-128 CTS mode with
> >> > > 96-bit SHA-1 HMAC)
> >> > >
> >> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (Triple DES cbc mode with
> >> > > HMAC/sha1)
> >> > >
> >> > >   6 host/sla400q1.domain.com at UNIX.DOMAIN.COM (ArcFour with HMAC/md5)
> >> > >
> >> > > Where are the sla400q1.unix.domain.com coming from? I've done this over
> >> > > and over, I can't find
> >> > >
> >> > > any reference to sla400q1.unix.domain.com in DNS in IPA, and the box
> >> > > never had any
> >> > >
> >> > > unix.comain.com references.
> >> > >
> >> > > In addition, I’m still getting the error:
> >> > >
> >> > > Miscellaneous failure\nNo principal in keytab matches desired name\n
> >> > >
> >> > > in the logs, even though:
> >> > >
> >> > > sla400q1:/var/adm> grep sla400q1 /etc/hosts
> >> > >
> >> > > 192.168.42.108  sla400q1-bk
> >> > >
> >> > > #10.200.5.48    sla400q1.domain.com sla400q1
> >> > >
> >> > > 10.200.5.48     sla400q1.domain.com sla400q1
> >> > >
> >> > > sla400q1:/var/adm> hostname
> >> > >
> >> > > sla400q1.domain.com
> >> > >
> >> > > sla400q1:/var/adm> domainname
> >> > >
> >> > > domain.com
> >> > >
> >> > > sla400q1:/var/adm>
> >> > >
> >> > > Any clues?
> >> > >
> >> > >
> >> > forgot to add:
> >> >
> >> > sla400q1:/var/adm> nslookup 10.200.5.48
> >> > Server:         10.200.2.24
> >> > Address:        10.200.2.24#53
> >> >
> >> > 48.5.200.10.in-addr.arpa        name = SLA400Q1.domain.com.
> >>
> >> hmm, DNS is case-insensitive, Kerberos is case-sensitive. If AIX Kerberos
> >> does some reverse DNS lookups it might end up looking for
> >> home/SLA400Q1.domain.com at UNIX.DOMAIN.COM. If you cannot change the case
> >> of the DNS entry, please try to create an IPA host with the case
> >> returned by DNS.
> >>
> >>
> >
> > IPA just changes SLA400Q1.domain.com to lower case when I do a host-add.
> >
> > I've asked the admins of "domain.com" to change the reverse entry,
> > we'll see how that goes.
> >
> > Thanks again,
> >
> > --Jason
> 
> Blew everything away regarding this host in IPA, cleared the keytab
> and caches on the AIX box.
> 
> And I have success.  Finally.
> 
> Thanks!

great, thank you for the feedback.

bye,
Sumit

> 
> 
> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6

More information about the Freeipa-users mailing list