[37114] in Kerberos
AW: multihomed IP address
daemon@ATHENA.MIT.EDU (Gsandtner Michael)
Tue Jun 23 13:25:53 2015
From: Gsandtner Michael <michael.gsandtner@wien.gv.at>
To: "'Greg Hudson *EXTERN*'" <ghudson@mit.edu>,
"'kerberos@mit.edu'"
<kerberos@mit.edu>
Date: Tue, 23 Jun 2015 06:02:13 +0000
Message-ID: <CDB785DEF421B94BA51F34F0FA19D7BD53BAF319@ntex2010a.host.magwien.gv.at>
In-Reply-To: <55883B4B.3080806@mit.edu>
Content-Language: de-DE
MIME-Version: 1.0
Cc: advldap-l <advldap-l@wien.gv.at>, Weber Sylvia <sylvia.weber@wien.gv.at>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
This indeed solves our problem.
Many thanks, best regards --Michael Gsandtner
-----Ursprüngliche Nachricht-----
Von: Greg Hudson *EXTERN* [mailto:ghudson@mit.edu]
Gesendet: Montag, 22. Juni 2015 18:44
An: Gsandtner Michael; 'kerberos@mit.edu'
Cc: Weber Sylvia
Betreff: Re: multihomed IP address
On 06/22/2015 06:53 AM, Gsandtner Michael wrote:
> We want to connect with ssh via kerberos. The host's name resolves to one IP address, but the IP address resolves to two names (this is a required DNS configuration):
> # nslookup vmlxsuche1test
> Name: vmlxsuche1test.host.magwien.gv.at
> Address: 10.153.92.100
>
> # nslookup 10.153.92.100
> 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at.
> 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at.
>
> ssh sometimes work, sometimes does not (falls back to authentication method: password).
> In both cases the credential cache on the client looks equal (got a TGS for both names):
ssh GSSAPI krb5 userauth does not work well when there are multiple
possible results for hostname canonicalization. For unfortunate
historical reasons, MIT krb5 defaults to reverse-resolving the IP
address when canonicalizing hostnames.
For this situation, I believe adding "rdns = false" to the [libdefaults]
section in krb5.conf should resolve the issue.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
