[30864] in Kerberos
Re: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
daemon@ATHENA.MIT.EDU (Mathew Rowley)
Thu Mar 12 13:45:29 2009
Date: Thu, 12 Mar 2009 11:43:59 -0600
From: Mathew Rowley <mathew_rowley@cable.comcast.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <C5DEA5FF.9409%mathew_rowley@cable.comcast.com>
In-Reply-To: <49B9271F.10801@anl.gov>
Mime-version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>>On the client, what is the ssh command you type in?ssh –v red@rsa01.security.lab.comcast.net
>>What is in the /etc/hosts file?127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6
>>What is in the krb5.conf file?# This is kdc01.security.lab.comcast.net - client[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = COMCAST.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
[realms] COMCAST.NET = { kdc = kdc01.security.lab.comcast.net:88 kdc = kdc02.security.lab.comcast.net:88 admin_server = kdc01.security.lab.comcast.net:749 admin_server = kdc02.security.lab.comcast.net:749 default_domain = security.lab.comcast.net database_module = openldap_ldapconf }
[domain_realm] .security.lab.comcast.net = COMCAST.NET security.lab.comcast.net = COMCAST.NET
[dbdefaults] ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"[dbmodules] openldap_ldapconf = { db_library = kldap ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com" ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.ldap.keytab ldap_servers = ldap://kdc01.security.lab.comcast.net ldap_conns_per_server = 5 }
>>Is nsswitch.conf mapping any hosts?No
>>What does nslookup rsa01.security.lab.comcast.net show?[red@kdc01 ~]$ nslookup rsa01.security.lab.comcast.netServer: 10.252.152.70Address: 10.252.152.70#53
Name: rsa01.security.lab.comcast.netAddress: 10.252.152.76
>>Is this a private network?Yes, lab environment
>>Are your DNS servers doing something special and actually returning>>the name as 10.242.142.77?They shouldn’t be – I configured it, just using named
Here is a tcpdump of communication with the dns server when attempting tossh: http://pastebin.com/m66ff7a28I looked at the pcap in wireshark, and it seems like its doing a standardquery with a valid standard response (for A name)...
MAT
On 3/12/09 9:15 AM, "Douglas E. Engert" <deengert@anl.gov> wrote:
> > > > Mathew Rowley wrote:>> > When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)>> > to a RH4 box, I get the following error from ssh:>> >>> > ...>> > debug1: Authentications that can continue:>> > publickey,gssapi-with-mic,password,keyboard-interactive>> > debug1: Next authentication method: gssapi-with-mic>> > debug1: Unspecified GSS failure. Minor code may provide more information>> > Server not found in Kerberos database>> >>> > debug1: Unspecified GSS failure. Minor code may provide more information>> > Server not found in Kerberos database>> > ...>> >>> > When looking at the krb5kdc.log I see:>> >>> > Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):>> TGS_REQ>> > (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime>> > 1236809289, red@COMCAST.NET for host/10.252.152.77@COMCAST.NET, Server not>> > found in Kerberos database>> > krb5kdc: Interrupted system call - while selecting for network input(1)>> >>> > It seems like the box I am trying to ssh to is sending Œhost/10.242.142.77¹>> > instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does>> > anyone have any idea why this would be happening? I have exact same>> > configurations on RH5 boxes that will work properly and send host/FQDN...> > On the client, what is the ssh command you type in?> What is in the /etc/hosts file?> What is in the krb5.conf file?> Is nsswitch.conf mapping any hosts?> What does nslookup rsa01.security.lab.comcast.net show?> > Is this a private network?> Are your DNS servers doing something special and actually returning> the name as 10.242.142.77?> > A Wireshark trace might show what DNS is doing here.> > > >> > Thanks.>> >> > --> > Douglas E. Engert <DEEngert@anl.gov>> Argonne National Laboratory> 9700 South Cass Avenue> Argonne, Illinois 60439> (630) 252-5444>
-- MAT
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
