[39505] in Kerberos
Strange behavior with mixed case host name/principal
daemon@ATHENA.MIT.EDU (Jafar Aliev)
Fri Apr 18 12:42:18 2025
MIME-Version: 1.0
From: Jafar Aliev <tubecleaner@gmail.com>
Date: Fri, 18 Apr 2025 19:41:53 +0300
Message-ID: <CALwi_rrX1-LGsjT7zr-bYyhf+GneUZV6S9kVA=-yf_pTh5PsjA@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Good day.
My setup:
rhel-based distro
OpenSSH_8.9p1 sshd
kerberos-libs 1.20.1
sssd 2.8.2
Server joined the Windows AD via realm. Authentication from windows
client (putty 0.71) via password works well, but GSSAPI fails with
error (sshd logs):
No credentials were supplied, or the credentials were unavailable or
inaccessible\nNo key table entry found matching
host/SERVER.domain.local@
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 SERVER$@DOMAIN.LOCAL
4 SERVER$@DOMAIN.LOCAL
4 host/SERVER@DOMAIN.LOCAL
4 host/SERVER@DOMAIN.LOCAL
4 host/SERVER.domain.local@DOMAIN.LOCAL
4 host/SERVER.domain.local@DOMAIN.LOCAL
4 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
4 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
4 RestrictedKrbHost/SERVER.domain.local@DOMAIN.LOCAL
4 RestrictedKrbHost/SERVER.domain.local@DOMAIN.LOCAL
$hostname -f
SERVER.domain.local
$dig +short -x <IP>
SERVER.domain.local
krb5.conf
=======
includedir /etc/krb5.conf.d/
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_ccache_name = KEYRING:persistent:%{uid}
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
[domain_realm]
Workarounds with sshd_conf
GSSAPIStrictAcceptorCheck no
or krb5.conf
ignore_acceptor_hostname = true
work well, but I want to keep a strict hostname check.
Well, I have found if I using all-small case hostname all works well :
$hostname -f
server.domain.local
$dig +short -x <IP>
server.domain.local
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 SERVER$@DOMAIN.LOCAL
2 SERVER$@DOMAIN.LOCAL
2 host/SERVER@DOMAIN.LOCAL
2 host/SERVER@DOMAIN.LOCAL
2 host/server.domain.local@DOMAIN.LOCAL
2 host/server.domain.local@DOMAIN.LOCAL
2 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
2 RestrictedKrbHost/SERVER@DOMAIN.LOCAL
2 RestrictedKrbHost/server.domain.local@DOMAIN.LOCAL
2 RestrictedKrbHost/server.domain.local@DOMAIN.LOCAL
Apr 18 19:37:54 server.domain.local sshd[51224]: Authorized to
jafar@domain.local, krb5 principal jafar@DOMAIN.LOCAL
(ssh_gssapi_krb5_cmdok)
Apr 18 19:37:55 server.domain.local sshd[51224]: Accepted
gssapi-with-mic for jafar@domain.local from 10.*.*.* port 57997 ssh2:
jafar@DOMAIN.LOCAL
Apr 18 19:37:55 server.domain.local sshd[51224]:
pam_unix(sshd:session): session opened for user
jafar@domain.local(uid=***) by (uid=0)
Is it predefined behavior or I don't understand something?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
