klist -kt /etc/dirsrv/ds.keytab

Keytab name: FILE:/etc/dirsrv/ds.keytab

KVNO Timestamp Principal

---- ----------------- --------------------------------------------------------

1 02/11/18 12:09:17 ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK

3 08/03/19 16:11:12 ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK

4 08/03/19 16:11:44 ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK

4 08/03/19 16:25:20 ldap/ipa-b.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK

1 11/03/19 10:50:01 ldap/ipa-b.virt.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK

2 11/03/19 10:50:17 ldap/ipa-b.cloud.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK

2 11/03/19 10:50:22 ldap/ipa-b.hpc.in.bmrc.ox.ac.uk@IN.BMRC.OX.AC.UK

This is a bit non-standard i understand, but so far this configuration is working ok. I guess the issue is that the ticket is being issued for the wrong domain.

Our intention here is to ensure that the DNS entry and host for the IPA server within a different sub-zone and subnet resolves to a single IP for speed. So a "host" has been created for each of the interfaces, all of the respective kerberos principals for the host services (ldap in this case) and then a new certificate issued with the alt names on it to allow for LDAPS. This works well, right up until the point of GSSAPI getting involved. There must be a piece of the puzzle we're missing here!

Regards,

Callum

--

Callum Smith

Research Computing Core

Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk

On 11 Mar 2019, at 14:58, Alexander Bokovoy <abokovoy@redhat.com> wrote:

klist
-kt /etc/dirsrv/ds.keytab