#2006 Certmonger fail to issue host certificate when IPA client is outside of the IPA domain.
Closed: Fixed None Opened 12 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=747443

Description of problem:
Certmonger will fail to issue host certificate when IPA client is outside of
the IPA domain.

Version-Release number of selected component (if applicable):
IPA Server RHEL 6.2beta
ipa-server-2.1.1-4.el6.x86_64

IPA Client RHEL 6.1:
ipa-client-2.0.0-23.el6.x86_64

How reproducible:
Setup a IPA client outside the IPA domain. i.e:
IPA server (ix.example.com)
IPA Client (test.example.com)

Steps to Reproduce:
1. add "search ix.example.com" to clients resolv.conf.

2. # ipa-client-install
ipa-client-install will fail to find SRV records for test.example.com
and continue to look for search/domain in resolv.conf and prompt you to confirm
the findings. installation will successfully finish without errors.

3. # ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20111019195147':
        status: CA_UNCONFIGURED
        ca-error: Error setting up ccache for local "host" service using
default keytab.
        stuck: yes
        ...


Actual results:
host certificate will not be issued, but host will successfully be
authenticated to the kerberos realm.

klist -kt /etc/krb5.keytab will show you the host tickets.

Expected results:

Host certificate should successfully be issued.


Additional info:

Workaround:

Manually mapping the IPA client domain to IPA domain in /etc/krb5.conf and
restart of certmonger will solve the issue.

add this to krb5.conf under [domain_realm]
---
    .test.example.com = IX.EXAMPLE.COM
  test.example.com = IX.EXAMPLE.COM
----

ipa-client-install should be able to add this mapping by default.

Lars proposed this patch on IRC
lars.patch

Patch ''freeipa-mkosek-154-fix-client-krb5-domain-mapping-and-dns.patch'' sent for review
freeipa-mkosek-154-fix-client-krb5-domain-mapping-and-dns.patch

Metadata Update from @dpal:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.1.4 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata