multihomed IP address

Gsandtner Michael michael.gsandtner at wien.gv.at
Mon Jun 22 06:53:10 EDT 2015 

We want to connect with ssh via kerberos. The host's name resolves to one IP address, but the IP address resolves to two names (this is a required DNS configuration):
# nslookup vmlxsuche1test
Name:   vmlxsuche1test.host.magwien.gv.at
Address: 10.153.92.100

# nslookup 10.153.92.100
100.92.153.10.in-addr.arpa      name = vmlxsuche1test.host.magwien.gv.at.
100.92.153.10.in-addr.arpa      name = zktest.host.magwien.gv.at.

ssh sometimes work, sometimes does not (falls back to authentication method: password).
In both cases the credential cache on the client looks equal (got a TGS for both names):
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lanadvgsa at MAGWIEN.GV.AT

Valid starting     Expires            Service principal
06/22/15 11:56:42  06/22/15 21:56:42  krbtgt/MAGWIEN.GV.AT at MAGWIEN.GV.AT
        renew until 06/29/15 11:56:42
06/22/15 11:56:47  06/22/15 21:56:42  host/vmlxsuche1test.host.magwien.gv.at at MAGWIEN.GV.AT
        renew until 06/29/15 11:56:42
06/22/15 11:56:47  06/22/15 21:56:42  host/zktest.host.magwien.gv.at at MAGWIEN.GV.AT
        renew until 06/29/15 11:56:42

If we enter the host vmlxsuche1test (but not the second name zktest) in the clients /etc/hosts (thus DNS reverse lookup not done) it works always, then we get only one TGS:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lanadvgsa at MAGWIEN.GV.AT

Valid starting     Expires            Service principal
06/22/15 10:58:15  06/22/15 20:58:15  krbtgt/MAGWIEN.GV.AT at MAGWIEN.GV.AT
        renew until 06/29/15 10:58:15
06/22/15 10:58:28  06/22/15 20:58:15  host/vmlxsuche1test.host.magwien.gv.at at MAGWIEN.GV.AT
        renew until 06/29/15 10:58:15

Here some more information:

# klist -ke # the keytab on the host
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 host/vmlxsuche1test.host.magwien.gv.at at MAGWIEN.GV.AT (arcfour-hmac)
   5 host/zktest.host.magwien.gv.at at MAGWIEN.GV.AT (arcfour-hmac)

Here the entry in Active Directory (thus only one entry with both SPNs)

dn: CN=VMLXSUCHE1TEST,OU=Linux,OU=Server,DC=magwien,DC=gv,DC=at
servicePrincipalName: host/vmlxsuche1test.host.magwien.gv.at
servicePrincipalName: host/ZKTEST
servicePrincipalName: host/zktest.host.magwien.gv.at
servicePrincipalName: host/VMLXSUCHE1TEST
msDS-KeyVersionNumber: 5

KDC: Active Directory 2008
sshd and ssh: OpenSSH_5.3p1 on Red Hat Enterprise Linux Server release 6.6

Any hint welcome.

Mit freundlichen Grüßen

DI Michael Gsandtner
AS3 - Zentrale Dienste
MA 14 - Informations- und Kommunikationstechnologie
A - 1220 Wien, Stadlauer Straße 56/B.02.054

Telefon: +43 1 4000 91640
Mobil: +43 676 8118 91640
Fax: +43 1 4000 99 91640
E-Mail: michael.gsandtner at wien.gv.at

More information about the Kerberos mailing list