On Wed, Sep 22, 2010 at 9:53 PM, Jonathan Simms <[email protected]> wrote: > On Wed, Sep 22, 2010 at 9:43 PM, Jonathan Simms <[email protected]> wrote: >> I found only one reference to the string "Negative cache rejected >> lookup for" searching google for information, so I figured I'd ask >> here. I'm connecting from a Mac OS X 10.6 box to a Debian 5 install. I >> am kinited on osx, and try to ssh to to the debian box, i get the >> following error message in the debug output: >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> Negative cache rejected lookup for 'host/$f...@$realm' >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> Server not found in Kerberos database >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> >> >> When I ssh to another box and kinit there, then ssh over to the same >> host, it does the GSS exchange fine, forwards my credentials, and i >> see the host's ticket when i do klist. >> >> Any clue what this negative cache is on OS-X and how to clear it? The >> only reference I found was >> http://eyck.forumakad.pl/~eyck/log/Tips/Kerberos.Negative.Cache.Rejected.Lookup.html >> and I'd rather not reboot my box if i can help it :) >> >> -- Jonathan >> > > Looking at the kdc logs, it seems that I got an UNKNOWN_SERVER > response for the host I was trying to connect to (cfengine hadn't set > up the principal yet). After setting up the principal and confirming > in kadmin that it did indeed exist, I tried sshing again, and noticed > that in the kdc logs, OS-X didn't even attempt to get a key for the > host. It seems CCacheServer (I'm guessing) is caching the negative > reply. Is there any way of tuning this behavior? >
One last thing, if I kdestroy and kinit again, then ssh to the host, I get a ticket for the host and the exchange works fine. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
