I have a config that is working on Ubuntu 10.04 and above but failing on 8.04. Any suggestions would be appreciated!
The problem is that I cannot SSH into the 8.04 machines unless I am using an account in the same realm as the DNS suffix of the system. I am using Windows Active Directory as both my LDAP and Kerberos server. LDAP is using RFC2307 attributes & doing it's queries against the Global Catalog ports so it can resolve users in all the AD domains. krb5.conf is using the defaults - we have SRV records (the ones created by AD) which appear to be adequate. I have no keytab defined. So for host.eng.company.com I can login (with just the UID) if I am [email protected] but [email protected] or [email protected]. kinit works fine. getent/id works fine. On newer Ubuntu versions it works as well. For this user I cannot login interactively or SSH (host is in "gso.company.com): root@gsovm-psbs03:~# getent passwd testdude testdude:*:60222:5002113:testdude testdude:/home/testdude:/bin/bash root@gsovm-psbs03:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 09/06/12 12:58:28 09/06/12 22:58:30 krbtgt/[email protected] renew until 09/07/12 12:58:28 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached But for this user it works (user and machine in same DNS/Kerberos realm): 13:13:43:eng-test-admin@gsovm-psbs03>klist Ticket cache: FILE:/tmp/krb5cc_50076 Default principal: [email protected] Valid starting Expires Service principal 09/06/12 13:13:42 09/06/12 23:13:42 krbtgt/[email protected] renew until 09/07/12 13:13:42 Kerberos 4 ticket cache: /tmp/tkt50076 klist: You have no tickets cached Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
