On Tue, 2012-08-07 at 12:23 -0500, Matt Garman wrote: > Hi, > > I'm trying to get ssh working using gssapi-with-mic authentication. I have > about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4 > mounts with "krb5p" security. All these machines mount the same NFSv4 share > (think home directories) so my users need to be able to forward their TGT > around.) > > What I'm ultimately running into is sshd complaining "Key table entry not > found" on *most* of the servers---a random handful work, and I can't figure > out how the working ones are different. > > So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using > gssapi-with-mic authentication. > > Here's the output of trying to ssh: > [matt@lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications > gssapi-with-mic" lnxsvr11 > OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to lnxsvr11 [192.168.187.67] port 22. > debug1: Connection established. > debug1: identity file /mnt/home/matt/.ssh/identity type -1 > debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1 > debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1 > debug1: loaded 3 keys > debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 > debug1: match: OpenSSH_4.3 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_4.3 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'lnxsvr11' is known and matches the RSA host key. > debug1: Found key in /mnt/home/matt/.ssh/known_hosts:207 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password > debug1: Next authentication method: gssapi-with-mic > debug1: Delegating credentials > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password > debug1: No more authentication methods to try. > Permission denied (publickey,gssapi-with-mic,password). > > On the server side, /var/log/secure, with sshd running with LogLevel DEBUG: > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: rexec start in 4 out > 4 newsock 4 pipe 6 sock 7 > Aug 7 11:53:06 lnxsvr11 sshd[4804]: debug1: Forked child 4998. > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: inetd sockets after > dupping: 3, 3 > Aug 7 11:53:06 lnxsvr11 sshd[4998]: Connection from > 192.168.187.61 port 43559 > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Client protocol > version 2.0; client software version OpenSSH_4.3 > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: match: OpenSSH_4.3 pat > OpenSSH* > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Enabling > compatibility mode for protocol 2.0 > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Local version string > SSH-2.0-OpenSSH_4.3 > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: permanently_set_uid: 74/74 > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: list_hostkey_types: > ssh-rsa,ssh-dss > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT sent > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEXINIT received > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: client->server > aes128-ctr hmac-md5 none > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: kex: server->client > aes128-ctr hmac-md5 none > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: > SSH2_MSG_KEX_DH_GEX_REQUEST received > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP > sent > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting > SSH2_MSG_KEX_DH_GEX_INIT > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY > sent > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS sent > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: expecting SSH2_MSG_NEWKEYS > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: SSH2_MSG_NEWKEYS received > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: KEX done > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for > user matt service ssh-connection method none > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 0 failures 0 > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: initializing for "matt" > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for > user matt service ssh-connection method gssapi-with-mic > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 1 failures 1 > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting > PAM_RHOST to "lnxsvr3.mydomain.com" > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: setting PAM_TTY to "ssh" > Aug 7 11:53:06 lnxsvr11 sshd[5001]: Postponed gssapi-with-mic for > matt from 192.168.187.61 port 43559 ssh2 > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Unspecified GSS > failure. Minor code may provide more information\nKey table entry not > found\n > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: Got no client credentials > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for > user matt service ssh-connection method gssapi-with-mic > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 2 failures 2 > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: userauth-request for > user matt service ssh-connection method gssapi-with-mic > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: attempt 3 failures 3 > Aug 7 11:53:06 lnxsvr11 sshd[5001]: Connection closed by 192.168.187.61 > Aug 7 11:53:06 lnxsvr11 sshd[5001]: debug1: do_cleanup > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: do_cleanup > Aug 7 11:53:06 lnxsvr11 sshd[4998]: debug1: PAM: cleanup > > Based on the web searching I've done for this issue, it seems the most common > culprit is DNS issues. But as far as I can tell, my /etc/hosts and DNS are > set up correctly and in agreement. So here is the output of various commands > on lnxsvr11: > > [root@lnxsvr11 ~]# klist -ekt > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 5 08/07/12 11:39:04 host/[email protected] > (DES cbc mode with CRC-32) > 5 08/07/12 11:39:45 nfs/[email protected] (DES > cbc mode with CRC-32) > > [root@lnxsvr11 ~]# hostname > lnxsvr11.mydomain.com > [root@lnxsvr11 ~]# hostname > lnxsvr11 > [root@lnxsvr11 ~]# hostname -s > lnxsvr11 > [root@lnxsvr11 ~]# hostname -f > lnxsvr11.mydomain.com > > [root@lnxsvr11 ~]# grep 192.168.187.67 /etc/hosts > 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11 > [root@lnxsvr11 ~]# grep "lnxsvr11\." /etc/hosts > 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11 > [root@lnxsvr11 ~]# grep "lnxsvr11$" /etc/hosts > 192.168.187.67 lnxsvr11.mydomain.com lnxsvr11 > > [root@lnxsvr11 ~]# dig -x 192.168.187.67 > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> -x 192.168.187.67 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13806 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;67.187.168.192.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 67.187.168.192.in-addr.arpa. 604800 IN PTR lnxsvr11.mydomain.com. > > ;; AUTHORITY SECTION: > 187.168.192.in-addr.arpa. 604800 IN NS ns1.mydomain.com. > > ;; ADDITIONAL SECTION: > ns1.mydomain.com. 604800 IN A 192.168.184.7 > > ;; Query time: 1 msec > ;; SERVER: 192.168.184.7#53(192.168.184.7) > ;; WHEN: Tue Aug 7 11:59:35 2012 > ;; MSG SIZE rcvd: 120 > > Can anyone see anything obvious that I'm missing?
What does the 'hostname' command return on your machine ? Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
