AD users are not able to ssh in to IPA client due to the error: "No principal matching host/ipa-client.example.edu@AD.EXAMPLE.EDU found in keytab" in krb5_child.log file

Solution Verified - Updated -

Issue

AD users are not able to ssh in to IPA client due to the error: "No principal matching host/ipa-client.example.edu@AD.EXAMPLE.EDU found in keytab" in krb5_child.log file .
id commands returns correct outputs.
AD users are able to ssh in to IPA server.

Following errors are seen in /var/log/sssd/krb5_child.logs

Trying to find principal host/ipa-client.example.edu@AD.EXAMPLE.EDU in keytab.
No principal matching host/ipa-client.example.edu@AD.EXAMPLE.EDU found in keytab.
find_principal_in_keytab failed for principal host/ipa-client.example.edu@AD.EXAMPLE.EDU.

klist -ket produced the following output :

keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes256-cts-hmac-sha1-96) 
   host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes128-cts-hmac-sha1-96) 
   host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes256-cts-hmac-sha384-192) 
   host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes128-cts-hmac-sha256-128) 
   host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (des3-cbc-sha1) 
   host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (arcfour-hmac)

In the above output it was noticed ".au" is included in the domain section of the hostname which was incorrect.

nslookup's returned hostname with incorrect ".au"

#nslookup ipa-client.example.edu
Server:         130.x.x.x
Address:        130.x.x.x#53

Name:   ipa-client.example.edu
Address: 10.21.x.x
# nslookup 10.21.x.x
Server:         130.x.x.x
Address:        130.x.x.x#53

197.x.x.x.in-addr.arpa      name =  ipa-client.example.edu.au.

Environment

  • Red Hat Enterprise Linux 7.4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content