>Ken, thank you for the fast response.
>
>Your answer almost fulfills my request. I'll incorporate extra checks
>in our playbooks to strict hostname cases.
>
>One small splinter will remain: why kerberos lib indicates error with
>exact host principal name that it has in keytab.
Is it possible the kvnos don't match? I'll be honest; I sometimes resort
to running the debugger in these situations. The use of the KRB5_TRACE
variable is also sometimes useful; you can use it to enable Kerberos
debug tracing. You'd want to arrange things so the sshd has it set in
it's environment, presumably by a systemd unit file override. You want
to give it a filename to write the trace output to, e.g:
KRB5_TRACE=/tmp/sshd.trace.out
--Ken
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
