Kerberos Single sign on not working

Greg Hudson ghudson at MIT.EDU
Tue May 28 13:25:50 EDT 2013

On 05/28/2013 12:19 AM, kannan rbk wrote:
> I  think i am  little short on the problem. Thanks for your useful
> debugging info. I am trying to connect the host "kannan" but in kerberos
> log it tries to connect "dineshbabu".

When we convert a hostname to a Kerberos principal, we canonicalize the
hostname using name resolution: first by performing a forward lookup,
and then by performing a reverse lookup of the resulting address.  Here
is an example:

  $ host is an alias for has address

  $ host domain name pointer KERBEROS-ORG.MIT.EDU.

  $ kvno -S host
  host/ at ATHENA.MIT.EDU: kvno = 4

It seems that on your network, "kannan" canonicalizes to "dineshbabu"
according to this process.

It is possible to suppress the reverse lookup by setting "rdns = false"
in the [libdefaults] section of krb5.conf.  Unfortunately, this doesn't
always work on Linux due to a libc bug.

More information about the Kerberos mailing list