[37107] in Kerberos
Re: multihomed IP address
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Mon Jun 22 12:35:05 2015
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: Gsandtner Michael <michael.gsandtner@wien.gv.at>
In-Reply-To: <CDB785DEF421B94BA51F34F0FA19D7BD53BAF00F@ntex2010a.host.magwien.gv.at>
Date: Mon, 22 Jun 2015 17:34:36 +0100
Message-ID: <1434990876.30380.399.camel@ion.is.ed.ac.uk>
Mime-Version: 1.0
Content-Disposition: inline
Cc: Weber Sylvia <sylvia.weber@wien.gv.at>,
"'kerberos@mit.edu'" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2015-06-22 at 10:53 +0000, Gsandtner Michael wrote:
> We want to connect with ssh via kerberos. The host's name resolves to one IP address, but the IP address resolves to two names (this is a required DNS configuration):
> # nslookup vmlxsuche1test
> Name: vmlxsuche1test.host.magwien.gv.at
> Address: 10.153.92.100
>
> # nslookup 10.153.92.100
> 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at.
> 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at.
>
> ssh sometimes work, sometimes does not (falls back to authentication method: password).
> In both cases the credential cache on the client looks equal (got a TGS for both names):
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: lanadvgsa@MAGWIEN.GV.AT
>
> Valid starting Expires Service principal
> 06/22/15 11:56:42 06/22/15 21:56:42 krbtgt/MAGWIEN.GV.AT@MAGWIEN.GV.AT
> renew until 06/29/15 11:56:42
> 06/22/15 11:56:47 06/22/15 21:56:42 host/vmlxsuche1test.host.magwien.gv.at@MAGWIEN.GV.AT
> renew until 06/29/15 11:56:42
> 06/22/15 11:56:47 06/22/15 21:56:42 host/zktest.host.magwien.gv.at@MAGWIEN.GV.AT
> renew until 06/29/15 11:56:42
>
> If we enter the host vmlxsuche1test (but not the second name zktest) in the clients /etc/hosts (thus DNS reverse lookup not done) it works always, then we get only one TGS:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: lanadvgsa@MAGWIEN.GV.AT
>
> Valid starting Expires Service principal
> 06/22/15 10:58:15 06/22/15 20:58:15 krbtgt/MAGWIEN.GV.AT@MAGWIEN.GV.AT
> renew until 06/29/15 10:58:15
> 06/22/15 10:58:28 06/22/15 20:58:15 host/vmlxsuche1test.host.magwien.gv.at@MAGWIEN.GV.AT
> renew until 06/29/15 10:58:15
>
> Here some more information:
>
> # klist -ke # the keytab on the host
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 5 host/vmlxsuche1test.host.magwien.gv.at@MAGWIEN.GV.AT (arcfour-hmac)
> 5 host/zktest.host.magwien.gv.at@MAGWIEN.GV.AT (arcfour-hmac)
>
> Here the entry in Active Directory (thus only one entry with both SPNs)
>
> dn: CN=VMLXSUCHE1TEST,OU=Linux,OU=Server,DC=magwien,DC=gv,DC=at
> servicePrincipalName: host/vmlxsuche1test.host.magwien.gv.at
> servicePrincipalName: host/ZKTEST
> servicePrincipalName: host/zktest.host.magwien.gv.at
> servicePrincipalName: host/VMLXSUCHE1TEST
> msDS-KeyVersionNumber: 5
>
> KDC: Active Directory 2008
> sshd and ssh: OpenSSH_5.3p1 on Red Hat Enterprise Linux Server release 6.6
>
> Any hint welcome.
You could try setting GSSAPIStrictAcceptorCheck to "no"
in /etc/ssh/sshd_config on the server. The sshd_config(5) man page
claims this is there to assist with operation on multi homed machines.
I hope that helps.
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
