multihomed IP address

Andrew Holway andrew.holway at gmail.com
Mon Jun 22 12:53:19 EDT 2015


I think SSSD has features to get around this kind of stuff.

On 22 June 2015 at 18:43, Greg Hudson <ghudson at mit.edu> wrote:

> On 06/22/2015 06:53 AM, Gsandtner Michael wrote:
> > We want to connect with ssh via kerberos. The host's name resolves to
> one IP address, but the IP address resolves to two names (this is a
> required DNS configuration):
> > # nslookup vmlxsuche1test
> > Name:   vmlxsuche1test.host.magwien.gv.at
> > Address: 10.153.92.100
> >
> > # nslookup 10.153.92.100
> > 100.92.153.10.in-addr.arpa      name = vmlxsuche1test.host.magwien.gv.at
> .
> > 100.92.153.10.in-addr.arpa      name = zktest.host.magwien.gv.at.
> >
> > ssh sometimes work, sometimes does not (falls back to authentication
> method: password).
> > In both cases the credential cache on the client looks equal (got a TGS
> for both names):
>
> ssh GSSAPI krb5 userauth does not work well when there are multiple
> possible results for hostname canonicalization.  For unfortunate
> historical reasons, MIT krb5 defaults to reverse-resolving the IP
> address when canonicalizing hostnames.
>
> For this situation, I believe adding "rdns = false" to the [libdefaults]
> section in krb5.conf should resolve the issue.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list