Kerberos Single sign on not working
ghudson at MIT.EDU
Tue May 28 13:25:50 EDT 2013
On 05/28/2013 12:19 AM, kannan rbk wrote:
> I think i am little short on the problem. Thanks for your useful
> debugging info. I am trying to connect the host "kannan" but in kerberos
> log it tries to connect "dineshbabu".
When we convert a hostname to a Kerberos principal, we canonicalize the
hostname using name resolution: first by performing a forward lookup,
and then by performing a reverse lookup of the resulting address. Here
is an example:
$ host ptr-mismatch.kerberos.org
ptr-mismatch.kerberos.org is an alias for www.kerberos.org.
www.kerberos.org has address 22.214.171.124
$ host 126.96.36.199
188.8.131.52.in-addr.arpa domain name pointer KERBEROS-ORG.MIT.EDU.
$ kvno -S host ptr-mismatch.kerberos.org
host/kerberos-org.mit.edu at ATHENA.MIT.EDU: kvno = 4
It seems that on your network, "kannan" canonicalizes to "dineshbabu"
according to this process.
It is possible to suppress the reverse lookup by setting "rdns = false"
in the [libdefaults] section of krb5.conf. Unfortunately, this doesn't
always work on Linux due to a libc bug.
More information about the Kerberos