Dear Alexander,
klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 02/11/18 12:09:17
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
1 02/11/18 12:09:17
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
3 08/03/19 16:11:12
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
3 08/03/19 16:11:12
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
4 08/03/19 16:11:44
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
4 08/03/19 16:11:44
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
4 08/03/19 16:25:20
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
4 08/03/19 16:25:20
ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
1 11/03/19 10:50:01
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
1 11/03/19 10:50:01
ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
2 11/03/19 10:50:17
ldap/ipa-b.cloud.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.cloud.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
2 11/03/19 10:50:17
ldap/ipa-b.cloud.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.cloud.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
2 11/03/19 10:50:22
ldap/ipa-b.hpc.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.hpc.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
2 11/03/19 10:50:22
ldap/ipa-b.hpc.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK<mailto:ldap/ipa-b.hpc.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK>
This is a bit non-standard i understand, but so far this configuration is working ok. I
guess the issue is that the ticket is being issued for the wrong domain.
[cid:F8DF5B93-5D52-46D5-88AC-E9BEA54760FD@in.bmrc.ox.ac.uk]
I've attached a screenshot of the DNS configuration for the sub-zone.
Our intention here is to ensure that the DNS entry and host for the IPA server within a
different sub-zone and subnet resolves to a single IP for speed. So a "host" has
been created for each of the interfaces, all of the respective kerberos principals for the
host services (ldap in this case) and then a new certificate issued with the alt names on
it to allow for LDAPS. This works well, right up until the point of GSSAPI getting
involved. There must be a piece of the puzzle we're missing here!
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
On 11 Mar 2019, at 14:58, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
klist
-kt /etc/dirsrv/ds.keytab