On Wed, Sep 22, 2010 at 9:43 PM, Jonathan Simms <[email protected]> wrote: > I found only one reference to the string "Negative cache rejected > lookup for" searching google for information, so I figured I'd ask > here. I'm connecting from a Mac OS X 10.6 box to a Debian 5 install. I > am kinited on osx, and try to ssh to to the debian box, i get the > following error message in the debug output: > > debug1: Unspecified GSS failure. Minor code may provide more information > Negative cache rejected lookup for 'host/$f...@$realm' > > debug1: Unspecified GSS failure. Minor code may provide more information > Server not found in Kerberos database > > debug1: Unspecified GSS failure. Minor code may provide more information > > > When I ssh to another box and kinit there, then ssh over to the same > host, it does the GSS exchange fine, forwards my credentials, and i > see the host's ticket when i do klist. > > Any clue what this negative cache is on OS-X and how to clear it? The > only reference I found was > http://eyck.forumakad.pl/~eyck/log/Tips/Kerberos.Negative.Cache.Rejected.Lookup.html > and I'd rather not reboot my box if i can help it :) > > -- Jonathan >
Looking at the kdc logs, it seems that I got an UNKNOWN_SERVER response for the host I was trying to connect to (cfengine hadn't set up the principal yet). After setting up the principal and confirming in kadmin that it did indeed exist, I tried sshing again, and noticed that in the kdc logs, OS-X didn't even attempt to get a key for the host. It seems CCacheServer (I'm guessing) is caching the negative reply. Is there any way of tuning this behavior? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
