[16380] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #8837] kprop replication does not work due to
daemon@ATHENA.MIT.EDU (Ingo via RT)
Tue Oct 29 16:45:55 2019
From: "Ingo via RT" <rt@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <6b426003-6de2-c436-d980-39b03abb9ec5@Hoeft-online.de>
Message-ID: <rt-4.4.4-18712-1572381948-916.8837-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8837":;
Date: Tue, 29 Oct 2019 16:45:48 -0400
MIME-Version: 1.0
Reply-To: rt@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8837 >
The problem was that the DNS domain 'example.com' was missed when referred to the local device name, for example
> Getting initial credentials for host/kdc10-1@EXAMPLE.COM
that should be 'host/kdc10-1.example.com@EXAMPLE.COM'.
Because of this Kerberos credentials does not match and authentication fails.
The reason was an entry in '/etc/hosts'. To avoid an error message from sudo when executed offline (e.g. on a laptop) I was told to insert the hostname into '/etc/hosts' like this:
127.0.1.1 kdc10-1
Together with name resolution order defined with "hosts: files dns" in '/etc/nsswitch.conf' the file is first asked and I get with
~$ hostname -f
kdc10-1
This is also used by Kerberos.
The solution is to use the full qualified local hostname "127.0.1.1. kdc10-1.example.com" in '/etc/hosts' or omit the local device name completely. In the latter case DNS lookup is used to resolve the name. I omit the local device name now to have DNS name resolution for it.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
