It was the problem with the hostname set on the ldap2.shadow.com server. The command 'hostname -f' was not returning Fully Qualified Domain name of the machine. When I fixed it , the issue with Single sign on is fixed.
This was the erroneous output [root@ldap2 pam.d]# hostname ldap2.shadow.com [root@ldap2 pam.d]# hostname -f ldap2 Also I had some misconceptions about how Single Sign On works. Now it is cleared. [root@krb-client ~]# kinit bkurian Password for bkur...@shadow.com: [root@krb-client ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bkur...@shadow.com Valid starting Expires Service principal 03/06/12 12:50:38 03/07/12 12:50:38 krbtgt/shadow....@shadow.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@krb-client ~]# [root@krb-client ~]# ssh bkur...@krb-ldap.shadow.com Last login: Tue Mar 6 12:50:19 2012 from krb-client.shadow.com [bkurian@krb-ldap ~]$ Thanks a lot for all the help. On 12 March 2012 18:20, Jean-Christophe Gay <jean-christophe....@dauphine.fr > wrote: > Le Mon, 5 Mar 2012 20:27:42 +0530, > Basil Kurian <basilkur...@gmail.com> a écrit : > > > > Kerberos doesn't remember credentials that way. You must first > > > obtain a TGT -- either manually using `kinit bkur...@shadow.com`, > > > or by configuring the client system to do this upon logging in > > > locally. > > > > [root@client ~]# kdestroy > > kdestroy: No credentials cache found while destroying cache > > [root@client ~]# > > [root@client ~]# > > [root@client ~]# kinit bkurian > > Password for bkur...@shadow.com: > > [root@client ~]# klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: bkur...@shadow.com > > > > Valid starting Expires Service principal > > 03/05/12 20:25:09 03/06/12 20:25:09 krbtgt/shadow....@shadow.com > > renew until 03/05/12 20:25:09 > > > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > Authentication is working, you can get a ticket. After your ssh atempt, > what is the result of klist on that machine ? > > And, what is the hostname of the ssh server ? > > This problem may come from 3 problems (or more) : > 1 - You didn't create the host/ldap2.shadow....@shadow.com principal > correctly. > 2 - You didn't dispatch the correct keytab on that server. > 3 - The hostname of that server isn't matching the principal name in > the KDC database. > > Also, can you, after a succesfull ssh on ldap2.shadow.com obtain a TGT > from the KDC with that user ? > > -- > Jean-Christophe Gay -- Université Paris Dauphine > Responsable de la Sécurité des Systèmes d'Information > Tel : 01 44 05 45 04 > jean-christophe....@dauphine.fr > -- Regards Basil ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos