[23791] in Kerberos
Re: openssh single-sing-on problem
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Thu Apr 28 09:24:42 2005
To: Klavs Klavsen <kl@vsen.dk>
In-reply-to: <42709C98.609@vsen.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 28 Apr 2005 09:23:31 -0400
From: Kevin Coffman <kwc@citi.umich.edu>
Message-Id: <20050428132331.78CB91BBB8@citi.umich.edu>
cc: Kevin Coffman <kwc@citi.umich.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
> Now I want to try to enable single-sign-on using openssh. When trying it
> from KDC host to itself, it works fine (after I created a
> host/auth01.example.dk principle - which for some reason got a kvno of 2
> - - don't know if this matters).
> I then add my client (another FreeBSD 5.3 server) as a principal and
> copy the relevant entry in the /etc/krb5.keytab to the client.
>
> When I try to ssh login to my auth01 server(the kdc) I get this in the
> krb5kdc.log:
>
> Apr 26 15:00:30 auth01.example.dk krb5kdc[34324](info): TGS_REQ (6
> etypes {16 5 23 3 2 1}) x.x.x.x: UNKNOWN_SERVER: authtime 1114520337,
> ktk@EXAMPLE.DK for krbtgt/PROD.DK.EXAMPLE.NET@EXAMPLE.DK, Server not
> found in Kerberos database
>
> But I can't figure out where it gets the PROD.DK.EXAMPLE.NET part from -
> it should have read vmwarefbsd5.example.dk - as thats what the forward
> and reverse DNS info points to.
The client (auth01.example.dk) thinks that the (ssh) server (hostname?)
is in a different realm (PROD.DK.EXAMPLE.NET) and is trying to get
a cross-realm ticket. Check the [domain_realm] stanza of your
/etc/krb5.conf file on the client and make sure that the ssh server's
hostname maps to the correct realm (EXAMPLE.DK).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos