[37104] in Kerberos
multihomed IP address
daemon@ATHENA.MIT.EDU (Gsandtner Michael)
Mon Jun 22 10:47:21 2015
From: Gsandtner Michael <michael.gsandtner@wien.gv.at>
To: "'kerberos@mit.edu'" <kerberos@mit.edu>
Date: Mon, 22 Jun 2015 10:53:10 +0000
Message-ID: <CDB785DEF421B94BA51F34F0FA19D7BD53BAF00F@ntex2010a.host.magwien.gv.at>
Content-Language: de-DE
MIME-Version: 1.0
Cc: Weber Sylvia <sylvia.weber@wien.gv.at>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
We want to connect with ssh via kerberos. The host's name resolves to one IP address, but the IP address resolves to two names (this is a required DNS configuration):
# nslookup vmlxsuche1test
Name: vmlxsuche1test.host.magwien.gv.at
Address: 10.153.92.100
# nslookup 10.153.92.100
100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at.
100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at.
ssh sometimes work, sometimes does not (falls back to authentication method: password).
In both cases the credential cache on the client looks equal (got a TGS for both names):
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lanadvgsa@MAGWIEN.GV.AT
Valid starting Expires Service principal
06/22/15 11:56:42 06/22/15 21:56:42 krbtgt/MAGWIEN.GV.AT@MAGWIEN.GV.AT
renew until 06/29/15 11:56:42
06/22/15 11:56:47 06/22/15 21:56:42 host/vmlxsuche1test.host.magwien.gv.at@MAGWIEN.GV.AT
renew until 06/29/15 11:56:42
06/22/15 11:56:47 06/22/15 21:56:42 host/zktest.host.magwien.gv.at@MAGWIEN.GV.AT
renew until 06/29/15 11:56:42
If we enter the host vmlxsuche1test (but not the second name zktest) in the clients /etc/hosts (thus DNS reverse lookup not done) it works always, then we get only one TGS:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lanadvgsa@MAGWIEN.GV.AT
Valid starting Expires Service principal
06/22/15 10:58:15 06/22/15 20:58:15 krbtgt/MAGWIEN.GV.AT@MAGWIEN.GV.AT
renew until 06/29/15 10:58:15
06/22/15 10:58:28 06/22/15 20:58:15 host/vmlxsuche1test.host.magwien.gv.at@MAGWIEN.GV.AT
renew until 06/29/15 10:58:15
Here some more information:
# klist -ke # the keytab on the host
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/vmlxsuche1test.host.magwien.gv.at@MAGWIEN.GV.AT (arcfour-hmac)
5 host/zktest.host.magwien.gv.at@MAGWIEN.GV.AT (arcfour-hmac)
Here the entry in Active Directory (thus only one entry with both SPNs)
dn: CN=VMLXSUCHE1TEST,OU=Linux,OU=Server,DC=magwien,DC=gv,DC=at
servicePrincipalName: host/vmlxsuche1test.host.magwien.gv.at
servicePrincipalName: host/ZKTEST
servicePrincipalName: host/zktest.host.magwien.gv.at
servicePrincipalName: host/VMLXSUCHE1TEST
msDS-KeyVersionNumber: 5
KDC: Active Directory 2008
sshd and ssh: OpenSSH_5.3p1 on Red Hat Enterprise Linux Server release 6.6
Any hint welcome.
Mit freundlichen Grüßen
DI Michael Gsandtner
AS3 - Zentrale Dienste
MA 14 - Informations- und Kommunikationstechnologie
A - 1220 Wien, Stadlauer Straße 56/B.02.054
Telefon: +43 1 4000 91640
Mobil: +43 676 8118 91640
Fax: +43 1 4000 99 91640
E-Mail: michael.gsandtner@wien.gv.at
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
