SSH issue

Marcel Koopmans marcel.koopmans at elysium-os.nl
Tue Jan 17 16:35:28 EST 2006


Hello Douglas,

It seems it is because of an entry in my /etc/hosts file on hephaestus.
my server zeus.home.elysium-os.nl is known on the internet as 
pki.elysium-os.nl
So I did add pki.elysium-os.nl in my /etc/hosts to make sure that I no 
longer get pop-ups about incorrect SSL certificates on Apache.

It seems that I have https or Kerberos working 100% for now I stick to 
Kerberos

Thanks,
    marcel

 

Douglas E. Engert wrote:
>
>
> Marcel Koopmans wrote:
>
>> Hello Klaas,
>>
>> hephaestus runs MacOSX 10.4.4 so the /etc/krb5.conf file is named 
>> /Library/Preferences/edu.mit.Kerberos but it looks ok
>>
>> [libdefaults]
>>  default_realm = HOME.ELYSIUM-OS.NL
>>
>> [realms]
>>  HOME.ELYSIUM-OS.NL = {
>>    kdc = zeus.home.elysium-os.nl:88
>>    admin_server = zeus.home.elysium-os.nl:749
>>    default_domain = home.elysium-os.nl
>>  }
>>
>> [domain_realm]
>>  home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>>  .home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>>
>>
>> On zeus /etc/krb5.conf also looks ok
>>
>>
>> [libdefaults]
>>  default_realm = HOME.ELYSIUM-OS.NL
>>
>> [realms]
>>  HOME.ELYSIUM-OS.NL = {
>>    kdc = kerberos.home.elysium-os.nl:88
>>    admin_server = kerberos.home.elysium-os.nl:749
>>    default_domain = home.elysium-os.nl
>>  }
>>
>> [domain_realm]
>>  home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>>  .home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>>
>> [logging]
>>  kdc = FILE:/var/log/kerberos.log
>>  admin_server = FILE:/var/log/kerberos.log
>>  default = FILE:/var/log/kerberos.log
>>
>>
>> In the logfile og the KDC it shows
>>
>>
>> Jan 17 19:16:48 zeus krb5kdc[2170](info): TGS_REQ (7 etypes {18 17 16 
>> 23 1 3 2}) 172.20.1.5: UNKNOWN_SERVER: authtime 1137492150,  
>> marcel at HOME.ELYSIUM-OS.NL for 
>> krbtgt/ELYSIUM-OS.NL at HOME.ELYSIUM-OS.NL, Server not found in Kerberos 
>> database
>
> The client is trying to do cross-realm, and the first step is to try
> and get a TGT up one level in the path. The client is not determining the
> realm of the server to be in the same realm as the client.
>
> Look at DNS, /etc/resolv.conf and /etc/host files. Fully qualify the 
> hostname
> on the ssh command line.
>
>
>
>>
>>
>> I do not get a ticket for zeus.
>> If server zeus is unknown that why does it work just fine from hades??
>> If there is something wrong on hephaestus whay does ssh to hades work??
>>
>> with kind regards,
>>    Marcel
>>
>>
>>
>> Klaas Hagemann wrote:
>>
>>> Hi marcel,
>>>
>>> check the domain-realm mapping in /etc/krb5.conf, maybe something 
>>> there is wrong.
>>> then you can monitor krb5kdc.log while trying to access zeus and see 
>>> whats going on.
>>>
>>> does principal marcel gets a service ticket for zeus?
>>>
>>> - Klaas
>>>
>>> Marcel Koopmans schrieb:
>>>
>>>  
>>>
>>>> Hello everybody,
>>>>
>>>> I have a issue with ssh to another computer
>>>> I use 3 computers,
>>>>
>>>> 1 zeus, the KDC that has sshd running
>>>> 2 hades,  server that has sshd running
>>>> 3 hephaestus,  a workstation, no sshd.
>>>>
>>>> On hephaestus principal marcel gets its TGT.
>>>> ssh to hades works just fine, no password is required.
>>>> ssh to zeus fails, in the debug data from ssh I find "Server not 
>>>> found in Kerberos database".
>>>> but...
>>>> login on hades and ssh to zeus does work fine.
>>>> also login on hephaestus ssh to hades and then ssh to zeus works fine.
>>>>
>>>> any ideas??
>>>>
>>>> with kind regards,
>>>>    Marcel
>>>>
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>  
>>>>
>>>>     
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> .
>>>
>>>   
>>
>>
>> ------------------------------------------------------------------------
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list