On Tue, Aug 21, 2018 at 03:21:27PM +0000, Ondrej Valousek wrote: > Hi list, > > I have noticed that there is a slight difference in host principals when > joining to AD using "net" command or via "adcli/realm". > All commands generates the short version (i.e. as per "hostname -s") in > capital letters in AD, but in local kerberos keytab, the "net" command > generates all "host/" principals lower case, but "adcli" generates then upper > case - which renders kerberized access via ssh unusable in case we specify > hostname without the domain suffix: > # cat /etc/hostname > Myshostname > > Question, why do you convert the short hostname to uppercase? Why is sshd so > picky about lower/upper cases for the host principals in Kerberos keytab?
I cannot say why adcli behaves this way. I haven't checked this but maybe Windows clients use the upper-case version as well when joining? I guess it is not sshd being picky but libkrb5. Kerberos principal names are case sensitive according to the related RFCs in libkrb5 is implemented this way. AD on the other hand treats Kerberos principals case insensitive. Have you tried to set 'GSSAPIStrictAcceptorCheck = no' in /etc/ssh/sshd_config? Its purpose is a bit different but maybe it covers cases as well. bye, Sumit > Thanks, > > Ondrej > > > > > ----- > > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return e-mail > and delete all copies of this e-mail from your computer system(s). Please > direct any additional queries to: communicati...@s3group.com. Thank You. > Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. > 378073. Registered Office: South County Business Park, Leopardstown, Dublin > 18. > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/MESFHNF3QFTUUX34WBVZX24F2G2GPAW5/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/3XLOUCIPQ7AGL4CIAB5NB5ZNETGMIRQA/
