Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
Mathew Rowley
mathew_rowley at cable.comcast.com
Thu Mar 12 13:43:59 EDT 2009
>>On the client, what is the ssh command you type in?
ssh –v red at rsa01.security.lab.comcast.net
>>What is in the /etc/hosts file?
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
>>What is in the krb5.conf file?
# This is kdc01.security.lab.comcast.net - client
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = COMCAST.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
COMCAST.NET = {
kdc = kdc01.security.lab.comcast.net:88
kdc = kdc02.security.lab.comcast.net:88
admin_server = kdc01.security.lab.comcast.net:749
admin_server = kdc02.security.lab.comcast.net:749
default_domain = security.lab.comcast.net
database_module = openldap_ldapconf
}
[domain_realm]
.security.lab.comcast.net = COMCAST.NET
security.lab.comcast.net = COMCAST.NET
[dbdefaults]
ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.ldap.keytab
ldap_servers = ldap://kdc01.security.lab.comcast.net
ldap_conns_per_server = 5
}
>>Is nsswitch.conf mapping any hosts?
No
>>What does nslookup rsa01.security.lab.comcast.net show?
[red at kdc01 ~]$ nslookup rsa01.security.lab.comcast.net
Server: 10.252.152.70
Address: 10.252.152.70#53
Name: rsa01.security.lab.comcast.net
Address: 10.252.152.76
>>Is this a private network?
Yes, lab environment
>>Are your DNS servers doing something special and actually returning
>>the name as 10.242.142.77?
They shouldn’t be – I configured it, just using named
Here is a tcpdump of communication with the dns server when attempting to
ssh: http://pastebin.com/m66ff7a28
I looked at the pcap in wireshark, and it seems like its doing a standard
query with a valid standard response (for A name)...
MAT
On 3/12/09 9:15 AM, "Douglas E. Engert" <deengert at anl.gov> wrote:
>
>
>
> Mathew Rowley wrote:
>> > When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
>> > to a RH4 box, I get the following error from ssh:
>> >
>> > ...
>> > debug1: Authentications that can continue:
>> > publickey,gssapi-with-mic,password,keyboard-interactive
>> > debug1: Next authentication method: gssapi-with-mic
>> > debug1: Unspecified GSS failure. Minor code may provide more information
>> > Server not found in Kerberos database
>> >
>> > debug1: Unspecified GSS failure. Minor code may provide more information
>> > Server not found in Kerberos database
>> > ...
>> >
>> > When looking at the krb5kdc.log I see:
>> >
>> > Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
>> TGS_REQ
>> > (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
>> > 1236809289, red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server not
>> > found in Kerberos database
>> > krb5kdc: Interrupted system call - while selecting for network input(1)
>> >
>> > It seems like the box I am trying to ssh to is sending Œhost/10.242.142.77¹
>> > instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does
>> > anyone have any idea why this would be happening? I have exact same
>> > configurations on RH5 boxes that will work properly and send host/FQDN...
>
> On the client, what is the ssh command you type in?
> What is in the /etc/hosts file?
> What is in the krb5.conf file?
> Is nsswitch.conf mapping any hosts?
> What does nslookup rsa01.security.lab.comcast.net show?
>
> Is this a private network?
> Are your DNS servers doing something special and actually returning
> the name as 10.242.142.77?
>
> A Wireshark trace might show what DNS is doing here.
>
>
>
>> > Thanks.
>> >
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
--
MAT
More information about the Kerberos
mailing list