Dear Alexander,
klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
This is a bit non-standard i understand, but so far this configuration is working ok. I guess the issue is that the ticket is being issued for the wrong domain.
I've attached a screenshot of the DNS configuration for the sub-zone.
Our intention here is to ensure that the DNS entry and host for the IPA server within a different sub-zone and subnet resolves to a single IP for speed. So a "host" has been created for each of the interfaces, all of the respective kerberos principals
for the host services (ldap in this case) and then a new certificate issued with the alt names on it to allow for LDAPS. This works well, right up until the point of GSSAPI getting involved. There must be a piece of the puzzle we're missing here!
Regards,
Callum
--
Callum Smith
Research Computing Core
klist
-kt
/etc/dirsrv/ds.keytab