kinit is ok, but ssh is not

Kenneth MacDonald Kenneth.MacDonald at ed.ac.uk
Fri May 2 12:50:00 EDT 2014 

On Fri, 2014-05-02 at 17:35 +0100, Giuseppe Mazza wrote:
> Dear All,
> 
> I have built a test infrastructure as below:
> gm-u1204 = Ubuntu12.04 server running my kdc (realm -> GML.DOC.IC.AC.UK)
> gm-win2012 = Windows 2012 running my dc (domain -> GMW.DOC.IC.AC.UK)
> 
> I have setup a nontransitive trust, i.e.
> "One-way: incoming Users in this domain          GMW.DOC.IC.AC.UK
>  can be authenticated in the specified realm     GML.DOC.IC.AC.UK
> "
> 
> 1] I can
> mazza at gm-u1204:~$ kinit giuseppe at GMW.DOC.IC.AC.UK
> mazza at gm-u1204:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_1002
> Default principal: giuseppe at GMW.DOC.IC.AC.UK
> 
> Valid starting     Expires            Service principal
> 02/05/14 15:55:17  03/05/14 01:55:34
> krbtgt/GMW.DOC.IC.AC.UK at GMW.DOC.IC.AC.UK
> 	renew until 03/05/14 15:55:17
> 
> 2] but I can not
> mazza at gm-u1204:~$ ssh -vvv giuseppe at gm-u1204
> ...
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Cannot find KDC for requested realm
> ...
> debug1: Next authentication method: password
> giuseppe at gm-u1204's password:
> 
> and I am asked for giuseppe's password :-(
> 
> I have noticed the "Cannot find KDC for requested realm" message above.
> 
> My /etc/krb5.conf contains the lines below:
> 
> 
> root at gm-u1204:~# grep -A 1 -B 2 GML /etc/krb5.conf
> [libdefaults]
> 	default_realm = GML.DOC.IC.AC.UK
> 	rdns = false
> --
> # in the section below:
> [realms]
>         GML.DOC.IC.AC.UK = {
>                 kdc = gml.doc.ic.ac.uk
> --
> # in the section below:
> [domain_realm]
> 	.doc.ic.ac.uk = GML.DOC.IC.AC.UK
> 	doc.ic.ac.uk = GML.DOC.IC.AC.UK
> 	.mit.edu = ATHENA.MIT.EDU
> 
> 
> 
> root at gm-u1204:~# grep -A 2 GMW /etc/krb5.conf
>         GMW.DOC.IC.AC.UK = {
>                 kdc = gm-win2012.doc.ic.ac.uk:88
> 		default_domain = doc.ic.ac.uk
> 
> 
> I wonder if you could provide some help to solve my problem.

Shouldn't the kdc for GML.DOC... be "gm-u1204.doc.ic.ac.uk" instead of
"gml.doc.ic.ac.uk" in your krb5.conf?

Cheers,

Kenny.


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the Kerberos mailing list