"Negative cache rejected lookup for" host/princ when using GSSAPI + ssh on Mac OS X 10.6

[Jonathan Simms]

On Wed, Sep 22, 2010 at 9:53 PM, Jonathan Simms <slyphon at gmail.com> wrote:
> On Wed, Sep 22, 2010 at 9:43 PM, Jonathan Simms <slyphon at gmail.com> wrote:
>> I found only one reference to the string "Negative cache rejected
>> lookup for" searching google for information, so I figured I'd ask
>> here. I'm connecting from a Mac OS X 10.6 box to a Debian 5 install. I
>> am kinited on osx, and try to ssh to to the debian box, i get the
>> following error message in the debug output:
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Negative cache rejected lookup for 'host/$FQDN@$REALM'
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Server not found in Kerberos database
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>>
>> When I ssh to another box and kinit there, then ssh over to the same
>> host, it does the GSS exchange fine, forwards my credentials, and i
>> see the host's ticket when i do klist.
>>
>> Any clue what this negative cache is on OS-X and how to clear it? The
>> only reference I found was
>> http://eyck.forumakad.pl/~eyck/log/Tips/Kerberos.Negative.Cache.Rejected.Lookup.html
>> and I'd rather not reboot my box if i can help it :)
>>
>> -- Jonathan
>>
>
> Looking at the kdc logs, it seems that I got an UNKNOWN_SERVER
> response for the host I was trying to connect to (cfengine hadn't set
> up the principal yet).  After setting up the principal and confirming
> in kadmin that it did indeed exist, I tried sshing again, and noticed
> that in the kdc logs, OS-X didn't even attempt to get a key for the
> host. It seems CCacheServer (I'm guessing) is caching the negative
> reply. Is there any way of tuning this behavior?
>

One last thing, if I kdestroy and kinit again, then ssh to the host, I
get a ticket for the host and the exchange works fine.