We want to connect with ssh via kerberos. The host's name resolves to one IP address, but the IP address resolves to two names (this is a required DNS configuration): # nslookup vmlxsuche1test Name: vmlxsuche1test.host.magwien.gv.at Address: 10.153.92.100
# nslookup 10.153.92.100 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at. 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at. ssh sometimes work, sometimes does not (falls back to authentication method: password). In both cases the credential cache on the client looks equal (got a TGS for both names): # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: lanadv...@magwien.gv.at Valid starting Expires Service principal 06/22/15 11:56:42 06/22/15 21:56:42 krbtgt/magwien.gv...@magwien.gv.at renew until 06/29/15 11:56:42 06/22/15 11:56:47 06/22/15 21:56:42 host/vmlxsuche1test.host.magwien.gv...@magwien.gv.at renew until 06/29/15 11:56:42 06/22/15 11:56:47 06/22/15 21:56:42 host/zktest.host.magwien.gv...@magwien.gv.at renew until 06/29/15 11:56:42 If we enter the host vmlxsuche1test (but not the second name zktest) in the clients /etc/hosts (thus DNS reverse lookup not done) it works always, then we get only one TGS: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: lanadv...@magwien.gv.at Valid starting Expires Service principal 06/22/15 10:58:15 06/22/15 20:58:15 krbtgt/magwien.gv...@magwien.gv.at renew until 06/29/15 10:58:15 06/22/15 10:58:28 06/22/15 20:58:15 host/vmlxsuche1test.host.magwien.gv...@magwien.gv.at renew until 06/29/15 10:58:15 Here some more information: # klist -ke # the keytab on the host Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/vmlxsuche1test.host.magwien.gv...@magwien.gv.at (arcfour-hmac) 5 host/zktest.host.magwien.gv...@magwien.gv.at (arcfour-hmac) Here the entry in Active Directory (thus only one entry with both SPNs) dn: CN=VMLXSUCHE1TEST,OU=Linux,OU=Server,DC=magwien,DC=gv,DC=at servicePrincipalName: host/vmlxsuche1test.host.magwien.gv.at servicePrincipalName: host/ZKTEST servicePrincipalName: host/zktest.host.magwien.gv.at servicePrincipalName: host/VMLXSUCHE1TEST msDS-KeyVersionNumber: 5 KDC: Active Directory 2008 sshd and ssh: OpenSSH_5.3p1 on Red Hat Enterprise Linux Server release 6.6 Any hint welcome. Mit freundlichen Grüßen DI Michael Gsandtner AS3 - Zentrale Dienste MA 14 - Informations- und Kommunikationstechnologie A - 1220 Wien, Stadlauer Straße 56/B.02.054 Telefon: +43 1 4000 91640 Mobil: +43 676 8118 91640 Fax: +43 1 4000 99 91640 E-Mail: michael.gsandt...@wien.gv.at ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos