Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)

Mathew Rowley mathew_rowley at cable.comcast.com
Thu Mar 12 13:43:59 EDT 2009


>>On the client, what is the ssh command you type in?
ssh –v red at rsa01.security.lab.comcast.net

>>What is in the /etc/hosts file?
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

>>What is in the krb5.conf file?
# This is kdc01.security.lab.comcast.net - client
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = COMCAST.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[realms]
 COMCAST.NET = {
  kdc = kdc01.security.lab.comcast.net:88
  kdc = kdc02.security.lab.comcast.net:88
  admin_server = kdc01.security.lab.comcast.net:749
  admin_server = kdc02.security.lab.comcast.net:749
  default_domain = security.lab.comcast.net
  database_module = openldap_ldapconf
 }

[domain_realm]
 .security.lab.comcast.net = COMCAST.NET
 security.lab.comcast.net = COMCAST.NET

[dbdefaults]
 ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
[dbmodules]
 openldap_ldapconf = {
  db_library = kldap
  ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
  ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
  # this object needs to have read rights on
  # the realm container, principal container and realm sub-trees
  ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
  # this object needs to have read and write rights on
  # the realm container, principal container and realm sub-trees
  ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.ldap.keytab
  ldap_servers = ldap://kdc01.security.lab.comcast.net
  ldap_conns_per_server = 5
 }

>>Is nsswitch.conf mapping any hosts?
No

>>What does nslookup rsa01.security.lab.comcast.net show?
[red at kdc01 ~]$ nslookup rsa01.security.lab.comcast.net
Server:         10.252.152.70
Address:        10.252.152.70#53

Name:   rsa01.security.lab.comcast.net
Address: 10.252.152.76

>>Is this a private network?
Yes, lab environment

>>Are your DNS servers doing something special and actually returning
>>the name as 10.242.142.77?
They shouldn’t be – I configured it, just using named

Here is a tcpdump of communication with the dns server when attempting to
ssh: http://pastebin.com/m66ff7a28
I looked at the pcap in wireshark, and it seems like its doing a standard
query with a valid standard response (for A name)...

MAT



On 3/12/09 9:15 AM, "Douglas E. Engert" <deengert at anl.gov> wrote:

> 
> 
> 
> Mathew Rowley wrote:
>> > When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
>> > to a RH4 box, I get the following error from ssh:
>> >
>> > ...
>> > debug1: Authentications that can continue:
>> > publickey,gssapi-with-mic,password,keyboard-interactive
>> > debug1: Next authentication method: gssapi-with-mic
>> > debug1: Unspecified GSS failure.  Minor code may provide more information
>> > Server not found in Kerberos database
>> >
>> > debug1: Unspecified GSS failure.  Minor code may provide more information
>> > Server not found in Kerberos database
>> > ...
>> >
>> > When looking at the krb5kdc.log I see:
>> >
>> > Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
>> TGS_REQ
>> > (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
>> > 1236809289,  red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server not
>> > found in Kerberos database
>> > krb5kdc: Interrupted system call - while selecting for network input(1)
>> >
>> > It seems like the box I am trying to ssh to is sending Œhost/10.242.142.77¹
>> > instead of what I expected Œhost/rsa01.security.lab.comcast.net¹.  Does
>> > anyone have any idea why this would be happening?  I have exact same
>> > configurations on RH5 boxes that will work properly and send host/FQDN...
> 
> On the client, what is the ssh command you type in?
> What is in the /etc/hosts file?
> What is in the krb5.conf file?
> Is nsswitch.conf mapping any hosts?
> What does nslookup rsa01.security.lab.comcast.net show?
> 
> Is this a private network?
> Are your DNS servers doing something special and actually returning
> the name as 10.242.142.77?
> 
> A Wireshark trace might show what DNS is doing here.
> 
> 
> 
>> > Thanks.
>> >
> 
> --
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> 

-- 
MAT




More information about the Kerberos mailing list