https://bugzilla.redhat.com/show_bug.cgi?id=747443
Description of problem: Certmonger will fail to issue host certificate when IPA client is outside of the IPA domain. Version-Release number of selected component (if applicable): IPA Server RHEL 6.2beta ipa-server-2.1.1-4.el6.x86_64 IPA Client RHEL 6.1: ipa-client-2.0.0-23.el6.x86_64 How reproducible: Setup a IPA client outside the IPA domain. i.e: IPA server (ix.example.com) IPA Client (test.example.com) Steps to Reproduce: 1. add "search ix.example.com" to clients resolv.conf. 2. # ipa-client-install ipa-client-install will fail to find SRV records for test.example.com and continue to look for search/domain in resolv.conf and prompt you to confirm the findings. installation will successfully finish without errors. 3. # ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20111019195147': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local "host" service using default keytab. stuck: yes ... Actual results: host certificate will not be issued, but host will successfully be authenticated to the kerberos realm. klist -kt /etc/krb5.keytab will show you the host tickets. Expected results: Host certificate should successfully be issued. Additional info: Workaround: Manually mapping the IPA client domain to IPA domain in /etc/krb5.conf and restart of certmonger will solve the issue. add this to krb5.conf under [domain_realm] --- .test.example.com = IX.EXAMPLE.COM test.example.com = IX.EXAMPLE.COM ---- ipa-client-install should be able to add this mapping by default.
Lars proposed this patch on IRC lars.patch
Patch ''freeipa-mkosek-154-fix-client-krb5-domain-mapping-and-dns.patch'' sent for review freeipa-mkosek-154-fix-client-krb5-domain-mapping-and-dns.patch
master: bb6e720[[BR]] ipa-2-1: a2d0ca2
Metadata Update from @dpal: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.1.4 (bug fixing)
Login to comment on this ticket.