>>On the client, what is the ssh command you type in? ssh –v r...@rsa01.security.lab.comcast.net
>>What is in the /etc/hosts file? 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 >>What is in the krb5.conf file? # This is kdc01.security.lab.comcast.net - client [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = COMCAST.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [realms] COMCAST.NET = { kdc = kdc01.security.lab.comcast.net:88 kdc = kdc02.security.lab.comcast.net:88 admin_server = kdc01.security.lab.comcast.net:749 admin_server = kdc02.security.lab.comcast.net:749 default_domain = security.lab.comcast.net database_module = openldap_ldapconf } [domain_realm] .security.lab.comcast.net = COMCAST.NET security.lab.comcast.net = COMCAST.NET [dbdefaults] ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com" [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com" ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.ldap.keytab ldap_servers = ldap://kdc01.security.lab.comcast.net ldap_conns_per_server = 5 } >>Is nsswitch.conf mapping any hosts? No >>What does nslookup rsa01.security.lab.comcast.net show? [...@kdc01 ~]$ nslookup rsa01.security.lab.comcast.net Server: 10.252.152.70 Address: 10.252.152.70#53 Name: rsa01.security.lab.comcast.net Address: 10.252.152.76 >>Is this a private network? Yes, lab environment >>Are your DNS servers doing something special and actually returning >>the name as 10.242.142.77? They shouldn’t be – I configured it, just using named Here is a tcpdump of communication with the dns server when attempting to ssh: http://pastebin.com/m66ff7a28 I looked at the pcap in wireshark, and it seems like its doing a standard query with a valid standard response (for A name)... MAT On 3/12/09 9:15 AM, "Douglas E. Engert" <deeng...@anl.gov> wrote: > > > > Mathew Rowley wrote: >> > When trying to ssh with a kerberos ticket (with GSSAPI enabled and working) >> > to a RH4 box, I get the following error from ssh: >> > >> > ... >> > debug1: Authentications that can continue: >> > publickey,gssapi-with-mic,password,keyboard-interactive >> > debug1: Next authentication method: gssapi-with-mic >> > debug1: Unspecified GSS failure. Minor code may provide more information >> > Server not found in Kerberos database >> > >> > debug1: Unspecified GSS failure. Minor code may provide more information >> > Server not found in Kerberos database >> > ... >> > >> > When looking at the krb5kdc.log I see: >> > >> > Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): >> TGS_REQ >> > (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime >> > 1236809289, r...@comcast.net for host/10.252.152...@comcast.net, Server >> > not >> > found in Kerberos database >> > krb5kdc: Interrupted system call - while selecting for network input(1) >> > >> > It seems like the box I am trying to ssh to is sending Œhost/10.242.142.77¹ >> > instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does >> > anyone have any idea why this would be happening? I have exact same >> > configurations on RH5 boxes that will work properly and send host/FQDN... > > On the client, what is the ssh command you type in? > What is in the /etc/hosts file? > What is in the krb5.conf file? > Is nsswitch.conf mapping any hosts? > What does nslookup rsa01.security.lab.comcast.net show? > > Is this a private network? > Are your DNS servers doing something special and actually returning > the name as 10.242.142.77? > > A Wireshark trace might show what DNS is doing here. > > > >> > Thanks. >> > > > -- > > Douglas E. Engert <deeng...@anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > -- MAT ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos