The joys of ActiveDirectory and Kerberized SSH

Todd, David dtodd at
Tue Jul 7 16:35:00 EDT 2009

On 6/30/09 8:27 , "Tom Yu" <tlyu at MIT.EDU> wrote:

> Are you sure this isn't "host/hq-svn" or "host/" followed by the
> fully-qualified domain name of "hq-svn"?

Yeah, it looks like host/FQDN

> I would like to know more details about the "AD server giving back
> more than one answer" situation.  How did you determine this, and what
> different answers was it giving back?

To be honest, this was a supposition based on discovering that there were
multiple entries for the same Service Principal name, and that getting rid
of the excess entries corrected the problem.

I had to slog through the Windows server logs to discover AD complaining,
and then found the entries with the LDP tool, though I'm guessing it could
have been discovered with ldapsearch or some such.

> Ubuntu 8.04 uses krb5-1.6.3.  The recent krb5-1.7 release has many
> enhancements, which include providing extended error information
> strings in more places, including in the situation you describe.
> There is also a patch queued for the upcoming krb5-1.6.4 maintenance
> release to add that extended error reporting information.

I will value this highly.

> Thanks for letting us know.  We have been working on improving our
> error reporting for some time now, mostly by adding extended error
> information to places where the existing fixed strings provide
> insufficient information.  Having additional reports like yours can
> help us with that effort.

Glad to help. It's a good mechanism, I'd like it to continue to be so.

More information about the krbdev mailing list