[30865] in Kerberos
Re: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Mar 12 17:13:27 2009
X-Barracuda-Envelope-From: deengert@anl.gov
Message-ID: <49B97ADB.7090909@anl.gov>
Date: Thu, 12 Mar 2009 16:12:59 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Mathew Rowley <mathew_rowley@cable.comcast.com>
In-Reply-To: <49B9271F.10801@anl.gov>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I bet you have an .ssh/config or in the ssh_config
with a Host section with HostName 10.52.152.77
If so ssh might be mapping the name you gave into
in to a string with the numbers. And this is being passed
to Kerberos.
Douglas E. Engert wrote:
>
> Mathew Rowley wrote:
>> When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
>> to a RH4 box, I get the following error from ssh:
>>
>> ...
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password,keyboard-interactive
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure. Minor code may provide more information
>> Server not found in Kerberos database
>>
>> debug1: Unspecified GSS failure. Minor code may provide more information
>> Server not found in Kerberos database
>> ...
>>
>> When looking at the krb5kdc.log I see:
>>
>> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): TGS_REQ
>> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
>> 1236809289, red@COMCAST.NET for host/10.252.152.77@COMCAST.NET, Server not
>> found in Kerberos database
>> krb5kdc: Interrupted system call - while selecting for network input(1)
>>
>> It seems like the box I am trying to ssh to is sending host/10.242.142.77¹
>> instead of what I expected host/rsa01.security.lab.comcast.net¹. Does
>> anyone have any idea why this would be happening? I have exact same
>> configurations on RH5 boxes that will work properly and send host/FQDN...
>
> On the client, what is the ssh command you type in?
> What is in the /etc/hosts file?
> What is in the krb5.conf file?
> Is nsswitch.conf mapping any hosts?
> What does nslookup rsa01.security.lab.comcast.net show?
>
> Is this a private network?
> Are your DNS servers doing something special and actually returning
> the name as 10.242.142.77?
>
> A Wireshark trace might show what DNS is doing here.
>
>
>
>> Thanks.
>>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
