SSH issue
Marcel Koopmans
marcel.koopmans at elysium-os.nl
Tue Jan 17 16:35:28 EST 2006
Hello Douglas,
It seems it is because of an entry in my /etc/hosts file on hephaestus.
my server zeus.home.elysium-os.nl is known on the internet as
pki.elysium-os.nl
So I did add pki.elysium-os.nl in my /etc/hosts to make sure that I no
longer get pop-ups about incorrect SSL certificates on Apache.
It seems that I have https or Kerberos working 100% for now I stick to
Kerberos
Thanks,
marcel
Douglas E. Engert wrote:
>
>
> Marcel Koopmans wrote:
>
>> Hello Klaas,
>>
>> hephaestus runs MacOSX 10.4.4 so the /etc/krb5.conf file is named
>> /Library/Preferences/edu.mit.Kerberos but it looks ok
>>
>> [libdefaults]
>> default_realm = HOME.ELYSIUM-OS.NL
>>
>> [realms]
>> HOME.ELYSIUM-OS.NL = {
>> kdc = zeus.home.elysium-os.nl:88
>> admin_server = zeus.home.elysium-os.nl:749
>> default_domain = home.elysium-os.nl
>> }
>>
>> [domain_realm]
>> home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>> .home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>>
>>
>> On zeus /etc/krb5.conf also looks ok
>>
>>
>> [libdefaults]
>> default_realm = HOME.ELYSIUM-OS.NL
>>
>> [realms]
>> HOME.ELYSIUM-OS.NL = {
>> kdc = kerberos.home.elysium-os.nl:88
>> admin_server = kerberos.home.elysium-os.nl:749
>> default_domain = home.elysium-os.nl
>> }
>>
>> [domain_realm]
>> home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>> .home.elysium-os.nl = HOME.ELYSIUM-OS.NL
>>
>> [logging]
>> kdc = FILE:/var/log/kerberos.log
>> admin_server = FILE:/var/log/kerberos.log
>> default = FILE:/var/log/kerberos.log
>>
>>
>> In the logfile og the KDC it shows
>>
>>
>> Jan 17 19:16:48 zeus krb5kdc[2170](info): TGS_REQ (7 etypes {18 17 16
>> 23 1 3 2}) 172.20.1.5: UNKNOWN_SERVER: authtime 1137492150,
>> marcel at HOME.ELYSIUM-OS.NL for
>> krbtgt/ELYSIUM-OS.NL at HOME.ELYSIUM-OS.NL, Server not found in Kerberos
>> database
>
> The client is trying to do cross-realm, and the first step is to try
> and get a TGT up one level in the path. The client is not determining the
> realm of the server to be in the same realm as the client.
>
> Look at DNS, /etc/resolv.conf and /etc/host files. Fully qualify the
> hostname
> on the ssh command line.
>
>
>
>>
>>
>> I do not get a ticket for zeus.
>> If server zeus is unknown that why does it work just fine from hades??
>> If there is something wrong on hephaestus whay does ssh to hades work??
>>
>> with kind regards,
>> Marcel
>>
>>
>>
>> Klaas Hagemann wrote:
>>
>>> Hi marcel,
>>>
>>> check the domain-realm mapping in /etc/krb5.conf, maybe something
>>> there is wrong.
>>> then you can monitor krb5kdc.log while trying to access zeus and see
>>> whats going on.
>>>
>>> does principal marcel gets a service ticket for zeus?
>>>
>>> - Klaas
>>>
>>> Marcel Koopmans schrieb:
>>>
>>>
>>>
>>>> Hello everybody,
>>>>
>>>> I have a issue with ssh to another computer
>>>> I use 3 computers,
>>>>
>>>> 1 zeus, the KDC that has sshd running
>>>> 2 hades, server that has sshd running
>>>> 3 hephaestus, a workstation, no sshd.
>>>>
>>>> On hephaestus principal marcel gets its TGT.
>>>> ssh to hades works just fine, no password is required.
>>>> ssh to zeus fails, in the debug data from ssh I find "Server not
>>>> found in Kerberos database".
>>>> but...
>>>> login on hades and ssh to zeus does work fine.
>>>> also login on hephaestus ssh to hades and then ssh to zeus works fine.
>>>>
>>>> any ideas??
>>>>
>>>> with kind regards,
>>>> Marcel
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>>>>
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> .
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list