[Freeipa-users] Re: SSH Unspecified GSS failure, No key table entry found matching host

[Kees Bakker via FreeIPA-users]

On 28-06-18 23:39, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> Hey,
>>
>> After installing a PC with Ubuntu 18.04 I'm seeing this problem with
>> SSH logins. The gssapi-with-mic authentication method does not
>> work anymore. Strangely enough a system that I upgraded (16.04->18.04)
>> was working fine.
>>
>> The debug of sshd shows (fivel being the unqualified hostname):
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No key table entry found matching host/fivel@
>>
>> After debugging and looking at differences between the installed and 
>> upgraded system
>> I found that the new Ubuntu 18.04 installation has a slightly different krb5 
>> configuration.
>> These are:
>>
>> -8X-8X-8X-8X-
>> [libdefaults]
>> ...
>>    dns_canonicalize_hostname = false
>> ...
>> [domain_realm]
>> ...
>>   fqdn = 
>> -8X-8X-8X-8X-
>>
>>
>> Now the workaround for the login problem is to comment out 
>> dns_canonicalize_hostname.
>>
>> Can anyone comment on this? Why was this changed? Why doesn't it work out of 
>> the box?
>>
> This has been the setting since IPA v4.5.

OK that explains why we didn't see it with Ubuntu 16.04, which has FreeIPA 4.3
and Ubuntu 18.04 has FreeIPA 4.7

>
> IPA generally requires that the hostname of the system be
> fully-qualified. Is that the case on the working and non-working systems?
>

These are systems that get their IP address from a DHCP server. In /etc/hostname
we simply have their non-qualified hostname. Via DHCP they get their domain. So,
on a connected system you'd see:

$ hostname
fivel
$ hostname -f
fivel.ghs.nl

I always assumed that this was sufficient. But maybe I'm wrong.

Let me also mention that at one point we had FQDN in /etc/hostname, but that 
confused
the DHCP setup, because it would attach an extra domain to the hostname, like 
fivel.ghs.nl.ghs.nl
-- 
Kees
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LARDSPHIBFVX2N5EGDVQHU55OJVDWZED/

[Freeipa-users] Re: SSH Unspecified GSS failure, No key table entry found matching host

[Rob Crittenden via FreeIPA-users]

Kees Bakker via FreeIPA-users wrote:
> Hey,
> 
> After installing a PC with Ubuntu 18.04 I'm seeing this problem with
> SSH logins. The gssapi-with-mic authentication method does not
> work anymore. Strangely enough a system that I upgraded (16.04->18.04)
> was working fine.
> 
> The debug of sshd shows (fivel being the unqualified hostname):
> 
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No key table entry found matching host/fivel@
> 
> After debugging and looking at differences between the installed and upgraded 
> system
> I found that the new Ubuntu 18.04 installation has a slightly different krb5 
> configuration.
> These are:
> 
> -8X-8X-8X-8X-
> [libdefaults]
> ...
>    dns_canonicalize_hostname = false
> ...
> [domain_realm]
> ...
>   fqdn = 
> -8X-8X-8X-8X-
> 
> 
> Now the workaround for the login problem is to comment out 
> dns_canonicalize_hostname.
> 
> Can anyone comment on this? Why was this changed? Why doesn't it work out of 
> the box?
> 

This has been the setting since IPA v4.5.

IPA generally requires that the hostname of the system be
fully-qualified. Is that the case on the working and non-working systems?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WQXS7GKUR7GZZIVYIVYCIWOTYN56CPBD/