openssh single-sing-on problem
Kevin Coffman
kwc at citi.umich.edu
Thu Apr 28 09:23:31 EDT 2005
> Now I want to try to enable single-sign-on using openssh. When trying it
> from KDC host to itself, it works fine (after I created a
> host/auth01.example.dk principle - which for some reason got a kvno of 2
> - - don't know if this matters).
> I then add my client (another FreeBSD 5.3 server) as a principal and
> copy the relevant entry in the /etc/krb5.keytab to the client.
>
> When I try to ssh login to my auth01 server(the kdc) I get this in the
> krb5kdc.log:
>
> Apr 26 15:00:30 auth01.example.dk krb5kdc[34324](info): TGS_REQ (6
> etypes {16 5 23 3 2 1}) x.x.x.x: UNKNOWN_SERVER: authtime 1114520337,
> ktk at EXAMPLE.DK for krbtgt/PROD.DK.EXAMPLE.NET at EXAMPLE.DK, Server not
> found in Kerberos database
>
> But I can't figure out where it gets the PROD.DK.EXAMPLE.NET part from -
> it should have read vmwarefbsd5.example.dk - as thats what the forward
> and reverse DNS info points to.
The client (auth01.example.dk) thinks that the (ssh) server (hostname?)
is in a different realm (PROD.DK.EXAMPLE.NET) and is trying to get
a cross-realm ticket. Check the [domain_realm] stanza of your
/etc/krb5.conf file on the client and make sure that the ssh server's
hostname maps to the correct realm (EXAMPLE.DK).
More information about the Kerberos
mailing list