On Mon, 2015-06-22 at 10:53 +0000, Gsandtner Michael wrote: > We want to connect with ssh via kerberos. The host's name resolves to one IP > address, but the IP address resolves to two names (this is a required DNS > configuration): > # nslookup vmlxsuche1test > Name: vmlxsuche1test.host.magwien.gv.at > Address: 10.153.92.100 > > # nslookup 10.153.92.100 > 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at. > 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at. > > ssh sometimes work, sometimes does not (falls back to authentication method: > password). > In both cases the credential cache on the client looks equal (got a TGS for > both names): > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: lanadv...@magwien.gv.at > > Valid starting Expires Service principal > 06/22/15 11:56:42 06/22/15 21:56:42 krbtgt/magwien.gv...@magwien.gv.at > renew until 06/29/15 11:56:42 > 06/22/15 11:56:47 06/22/15 21:56:42 > host/vmlxsuche1test.host.magwien.gv...@magwien.gv.at > renew until 06/29/15 11:56:42 > 06/22/15 11:56:47 06/22/15 21:56:42 > host/zktest.host.magwien.gv...@magwien.gv.at > renew until 06/29/15 11:56:42 > > If we enter the host vmlxsuche1test (but not the second name zktest) in the > clients /etc/hosts (thus DNS reverse lookup not done) it works always, then > we get only one TGS: > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: lanadv...@magwien.gv.at > > Valid starting Expires Service principal > 06/22/15 10:58:15 06/22/15 20:58:15 krbtgt/magwien.gv...@magwien.gv.at > renew until 06/29/15 10:58:15 > 06/22/15 10:58:28 06/22/15 20:58:15 > host/vmlxsuche1test.host.magwien.gv...@magwien.gv.at > renew until 06/29/15 10:58:15 > > Here some more information: > > # klist -ke # the keytab on the host > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 5 host/vmlxsuche1test.host.magwien.gv...@magwien.gv.at (arcfour-hmac) > 5 host/zktest.host.magwien.gv...@magwien.gv.at (arcfour-hmac) > > Here the entry in Active Directory (thus only one entry with both SPNs) > > dn: CN=VMLXSUCHE1TEST,OU=Linux,OU=Server,DC=magwien,DC=gv,DC=at > servicePrincipalName: host/vmlxsuche1test.host.magwien.gv.at > servicePrincipalName: host/ZKTEST > servicePrincipalName: host/zktest.host.magwien.gv.at > servicePrincipalName: host/VMLXSUCHE1TEST > msDS-KeyVersionNumber: 5 > > KDC: Active Directory 2008 > sshd and ssh: OpenSSH_5.3p1 on Red Hat Enterprise Linux Server release 6.6 > > Any hint welcome.
You could try setting GSSAPIStrictAcceptorCheck to "no" in /etc/ssh/sshd_config on the server. The sshd_config(5) man page claims this is there to assist with operation on multi homed machines. I hope that helps. Cheers, Kenny. -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos