On Fri, Feb 01, 2013 at 11:00:00AM +0000, John Hodrien wrote: > On Fri, 1 Feb 2013, Sumit Bose wrote: > > >I guess this might be a limitation of sshd. iirc it will not use all > >tickets from the keytab but only the one that matches > >host/fully.qualified.host.name where the fully.qualified.host.name is > >determined with uname() or gethostname(). This means by default a system > >is only accessible with one fully qualified name with ssh and GSSAPI. > > Is this relevant? > > GSSAPIStrictAcceptorCheck > Determines whether to be strict about the identity of the GSSAPI > acceptor a client authenticates against. If “yes” then the client > must authenticate against the host service on the current host- > name. If “no” then the client may authenticate against any ser- > vice key stored in the machine’s default store. This facility is > provided to assist with operation on multi homed machines. The > default is “yes”. Note that this option applies only to protocol > version 2 GSSAPI connections, and setting it to “no” may only > work with recent Kerberos GSSAPI libraries.
yes, this sounds as it would help in Derek's environment. bye, Sumit > > jh > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel