[37109] in Kerberos
Re: multihomed IP address
daemon@ATHENA.MIT.EDU (Andrew Holway)
Mon Jun 22 12:53:35 2015
MIME-Version: 1.0
In-Reply-To: <55883B4B.3080806@mit.edu>
Date: Mon, 22 Jun 2015 18:53:19 +0200
Message-ID: <CAEiui-ty9rSVdZEnXZ-RKg4kxDy6vUqKysHLWdzQ3Tr6AkWH8g@mail.gmail.com>
From: Andrew Holway <andrew.holway@gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Gsandtner Michael <michael.gsandtner@wien.gv.at>,
Weber Sylvia <sylvia.weber@wien.gv.at>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I think SSSD has features to get around this kind of stuff.
On 22 June 2015 at 18:43, Greg Hudson <ghudson@mit.edu> wrote:
> On 06/22/2015 06:53 AM, Gsandtner Michael wrote:
> > We want to connect with ssh via kerberos. The host's name resolves to
> one IP address, but the IP address resolves to two names (this is a
> required DNS configuration):
> > # nslookup vmlxsuche1test
> > Name: vmlxsuche1test.host.magwien.gv.at
> > Address: 10.153.92.100
> >
> > # nslookup 10.153.92.100
> > 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at
> .
> > 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at.
> >
> > ssh sometimes work, sometimes does not (falls back to authentication
> method: password).
> > In both cases the credential cache on the client looks equal (got a TGS
> for both names):
>
> ssh GSSAPI krb5 userauth does not work well when there are multiple
> possible results for hostname canonicalization. For unfortunate
> historical reasons, MIT krb5 defaults to reverse-resolving the IP
> address when canonicalizing hostnames.
>
> For this situation, I believe adding "rdns = false" to the [libdefaults]
> section in krb5.conf should resolve the issue.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
