Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
Douglas E. Engert
deengert at anl.gov
Thu Mar 12 11:15:43 EDT 2009
Mathew Rowley wrote:
> When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
> to a RH4 box, I get the following error from ssh:
>
> ...
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server not found in Kerberos database
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server not found in Kerberos database
> ...
>
> When looking at the krb5kdc.log I see:
>
> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
> 1236809289, red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server not
> found in Kerberos database
> krb5kdc: Interrupted system call - while selecting for network input(1)
>
> It seems like the box I am trying to ssh to is sending Œhost/10.242.142.77¹
> instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does
> anyone have any idea why this would be happening? I have exact same
> configurations on RH5 boxes that will work properly and send host/FQDN...
On the client, what is the ssh command you type in?
What is in the /etc/hosts file?
What is in the krb5.conf file?
Is nsswitch.conf mapping any hosts?
What does nslookup rsa01.security.lab.comcast.net show?
Is this a private network?
Are your DNS servers doing something special and actually returning
the name as 10.242.142.77?
A Wireshark trace might show what DNS is doing here.
> Thanks.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list