So how do I know what client/server gets the idea of the server host name? It looks like reverse map works well and they can get the same IP/Address.
Eric On Tue, Jan 4, 2011 at 7:24 PM, Simon Wilkinson <si...@sxw.org.uk> wrote: > > On 4 Jan 2011, at 10:57, Lee Eric wrote: > >> debug1: Unspecified GSS failure. Minor code may provide more information >> Key table entry not found >> [...] >> So I notice that it was due to SSH server side cannot find keytab but >> it exists in /etc/krb5.keytab: >> -r--------. 1 root root 526 Jan 3 00:58 /etc/krb5.keytab >> >> What I suppose that is is there any sshd_config entry I need to setup >> to indicate the path of keytab? > > Not that it can't find the keytab, but that the entry that sshd is looking > for cannot be found in the keytab. This suggests that the principal that > you've put into the keytab doesn't match the name that the machine knows > itself by. ssh uses host/gethostbyname(gethostname()) as the default > principal - as do many other Kerberised services. It's worth making sure that > your machine's idea of its name is correct. > > OpenSSH with my patches does offer a way around this - you can use > GSSAPIStrictAcceptorCheck no, to allow it to accept any key in the keytab - > but see the discussions in another recent thread about the pros, and cons, of > this. However, this only helps if the name picked by the client is correct > matches on that's in the keytab. If you've got naming problems, and it sounds > like you do, its worth sorting all of those out before trying to get Kerberos > going. > > Cheers, > > Simon. > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
