AD users are not able to ssh in to IPA client due to the error: "No principal matching host/ipa-client.example.edu@AD.EXAMPLE.EDU found in keytab" in krb5_child.log file
Issue
AD users are not able to ssh in to IPA client due to the error: "No principal matching host/ipa-client.example.edu@AD.EXAMPLE.EDU found in keytab" in krb5_child.log file .
id commands returns correct outputs.
AD users are able to ssh in to IPA server.
Following errors are seen in /var/log/sssd/krb5_child.logs
Trying to find principal host/ipa-client.example.edu@AD.EXAMPLE.EDU in keytab.
No principal matching host/ipa-client.example.edu@AD.EXAMPLE.EDU found in keytab.
find_principal_in_keytab failed for principal host/ipa-client.example.edu@AD.EXAMPLE.EDU.
klist -ket produced the following output :
keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes256-cts-hmac-sha1-96)
host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes128-cts-hmac-sha1-96)
host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes256-cts-hmac-sha384-192)
host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (aes128-cts-hmac-sha256-128)
host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (des3-cbc-sha1)
host/host/ipa-client.example.edu.au@AD.EXAMPLE.EDU (arcfour-hmac)
In the above output it was noticed ".au" is included in the domain section of the hostname which was incorrect.
nslookup's returned hostname with incorrect ".au"
#nslookup ipa-client.example.edu
Server: 130.x.x.x
Address: 130.x.x.x#53
Name: ipa-client.example.edu
Address: 10.21.x.x
# nslookup 10.21.x.x
Server: 130.x.x.x
Address: 130.x.x.x#53
197.x.x.x.in-addr.arpa name = ipa-client.example.edu.au.
Environment
- Red Hat Enterprise Linux 7.4
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.