"Negative cache rejected lookup for" host/princ when using GSSAPI + ssh on Mac OS X 10.6

Jonathan Simms slyphon at gmail.com
Wed Sep 22 21:53:41 EDT 2010


On Wed, Sep 22, 2010 at 9:43 PM, Jonathan Simms <slyphon at gmail.com> wrote:
> I found only one reference to the string "Negative cache rejected
> lookup for" searching google for information, so I figured I'd ask
> here. I'm connecting from a Mac OS X 10.6 box to a Debian 5 install. I
> am kinited on osx, and try to ssh to to the debian box, i get the
> following error message in the debug output:
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Negative cache rejected lookup for 'host/$FQDN@$REALM'
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server not found in Kerberos database
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
>
>
> When I ssh to another box and kinit there, then ssh over to the same
> host, it does the GSS exchange fine, forwards my credentials, and i
> see the host's ticket when i do klist.
>
> Any clue what this negative cache is on OS-X and how to clear it? The
> only reference I found was
> http://eyck.forumakad.pl/~eyck/log/Tips/Kerberos.Negative.Cache.Rejected.Lookup.html
> and I'd rather not reboot my box if i can help it :)
>
> -- Jonathan
>

Looking at the kdc logs, it seems that I got an UNKNOWN_SERVER
response for the host I was trying to connect to (cfengine hadn't set
up the principal yet).  After setting up the principal and confirming
in kadmin that it did indeed exist, I tried sshing again, and noticed
that in the kdc logs, OS-X didn't even attempt to get a key for the
host. It seems CCacheServer (I'm guessing) is caching the negative
reply. Is there any way of tuning this behavior?




More information about the Kerberos mailing list