On 28-06-18 23:39, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> Hey,
>>
>> After installing a PC with Ubuntu 18.04 I'm seeing this problem with
>> SSH logins. The gssapi-with-mic authentication method does not
>> work anymore. Strangely enough a system that I upgraded (16.04->18.04)
>> was working fine.
>>
>> The debug of sshd shows (fivel being the unqualified hostname):
>>
>> debug1: Unspecified GSS failure. Minor code may provide more information
>> No key table entry found matching host/fivel@
>>
>> After debugging and looking at differences between the installed and
>> upgraded system
>> I found that the new Ubuntu 18.04 installation has a slightly different krb5
>> configuration.
>> These are:
>>
>> -8X-8X-8X-8X-
>> [libdefaults]
>> ...
>> dns_canonicalize_hostname = false
>> ...
>> [domain_realm]
>> ...
>> fqdn =
>> -8X-8X-8X-8X-
>>
>>
>> Now the workaround for the login problem is to comment out
>> dns_canonicalize_hostname.
>>
>> Can anyone comment on this? Why was this changed? Why doesn't it work out of
>> the box?
>>
> This has been the setting since IPA v4.5.
OK that explains why we didn't see it with Ubuntu 16.04, which has FreeIPA 4.3
and Ubuntu 18.04 has FreeIPA 4.7
>
> IPA generally requires that the hostname of the system be
> fully-qualified. Is that the case on the working and non-working systems?
>
These are systems that get their IP address from a DHCP server. In /etc/hostname
we simply have their non-qualified hostname. Via DHCP they get their domain. So,
on a connected system you'd see:
$ hostname
fivel
$ hostname -f
fivel.ghs.nl
I always assumed that this was sufficient. But maybe I'm wrong.
Let me also mention that at one point we had FQDN in /etc/hostname, but that
confused
the DHCP setup, because it would attach an extra domain to the hostname, like
fivel.ghs.nl.ghs.nl
--
Kees
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LARDSPHIBFVX2N5EGDVQHU55OJVDWZED/