> Date: Wed, 3 Apr 2013 12:29:59 -0400 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: openssh/mit kerberos and numeric host address > > On Wed, 3 Apr 2013, 王剑 wrote: > > > Hi, > > > > I have setup a MIT kerberos environment. But I meet a problem with numeric > > host address support. > > > > 1. The kdc runs on linux server, debian testing latest, openssh 6.0p1, mit > > kerberos 1.10.1. > > 2. A DNS A RR points to linux server, as "kdc = xxx" > > 3. Windows client: Win7 64bit, putty 0.62, kfw-3-2-2 > > 4. MacOS X client: OSX 10.6.x > > 5. Linux client: debian testing latest > > 6. In krb5.conf or krb5.ini, "rdns = false" and in ssh_config, > > "GSSAPITrustDNS = no" > > 7. The server has a host/ip@REALM principal in kdc and /etc/krb5.keytab > > > > From Windows and OSX clients, we can login to linux server with "ssh > > root@ip" by principal, but > > from linux, kerberos always fails and then fallback to password > > > > "debug1: Unspecified GSS failure. Minor code may provide more information > > Cannot determine realm for numeric host address" > > > > At first, I think it is openssh's problem. But I trace it into > > ssh_gssapi_init_ctx() then gss_init_sec_context() > > from libgssapi_krb5.so. It's beyond my affordable time to play with this > > beast. > > > > Can anyone has a solution? > > It seems like you may be hitting the getaddrinfo issue mentioned in debian > bug #697662 (which is > http://krbdev.mit.edu/rt/Ticket/Display.html?id=7124&user=guest&pass=guest > ). > This issue is addressed in my version of the debian packaging > (http://anonscm.debian.org/gitweb/?p=pkg-k5-afs/debian-krb5.git;a=summary) > but I don't have an ETA for when it will be uploaded to debian. > > -Ben Kaduk > > P.S. There is KfW 4.0.1 out now; 3.2.2 is quite old.
Thanks. I have tried Greg Hudson's glibc patch and built glibc package, per http://sourceware.org/bugzilla/show_bug.cgi?id=15218 but no success. I have reverted back to debian official glibc package. I test the upstream patch your package refers to, and no success either :( I installed KfW 4.0.1 then switch back to 3.2.2. The UI of KfW 4.0.1 is _strange_.
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
