Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
Mathew Rowley
to a RH4 box, I get the following error from ssh:
...
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
...
When looking at the krb5kdc.log I see:
Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
1236809289, r...@COMCAST.NET for host/10.252...@COMCAST.NET, Server not
found in Kerberos database
krb5kdc: Interrupted system call - while selecting for network input(1)
It seems like the box I am trying to ssh to is sending Œhost/10.242.142.77¹
instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does
anyone have any idea why this would be happening? I have exact same
configurations on RH5 boxes that will work properly and send host/FQDN...
Thanks.
--
MAT
Thomas Mueller
> When looking at the krb5kdc.log I see:
>
> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER:
> authtime 1236809289, r...@COMCAST.NET for
> host/10.252...@COMCAST.NET, Server not found in Kerberos database
> krb5kdc: Interrupted system call - while selecting for network input(1)
>
> It seems like the box I am trying to ssh to is sending
> Œhost/10.242.142.77¹ instead of what I expected
> Œhost/rsa01.security.lab.comcast.net¹. Does anyone have any idea why
> this would be happening? I have exact same configurations on RH5 boxes
> that will work properly and send host/FQDN... Thanks.
reverse lookup of 10.252.152.78 on the host sending the ip address
instead of the hostname shows the expected hostname?
- Thomas
Mathew Rowley
[root@rsa01 ~]# nslookup 10.252.152.78
Server: 10.252.152.70
Address: 10.252.152.70#53
78.152.252.10.in-addr.arpa name = kdc01.security.lab.comcast.net.
MAT
On 3/12/09 12:09 AM, "Thomas Mueller" <tho...@chaschperli.ch> wrote:
>
>
>> > When looking at the krb5kdc.log I see:
>> >
>> > Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
>> > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER:
>> > authtime 1236809289, r...@COMCAST.NET for
>> > host/10.252...@COMCAST.NET, Server not found in Kerberos database
>> > krb5kdc: Interrupted system call - while selecting for network input(1)
>> >
>> > It seems like the box I am trying to ssh to is sending
>> > 똦ost/10.242.142.77¹ instead of what I expected
>> > 똦ost/rsa01.security.lab.comcast.net¹. Does anyone have any idea why
>> > this would be happening? I have exact same configurations on RH5 boxes
>> > that will work properly and send host/FQDN... Thanks.
>
> reverse lookup of 10.252.152.78 on the host sending the ip address
> instead of the hostname shows the expected hostname?
>
> - Thomas
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
MAT
Douglas E. Engert
Mathew Rowley wrote:
> When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
> to a RH4 box, I get the following error from ssh:
>
> ...
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server not found in Kerberos database
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server not found in Kerberos database
> ...
>
> When looking at the krb5kdc.log I see:
>
> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
> 1236809289, r...@COMCAST.NET for host/10.252...@COMCAST.NET, Server not
> found in Kerberos database
> krb5kdc: Interrupted system call - while selecting for network input(1)
>
> It seems like the box I am trying to ssh to is sending Œhost/10.242.142.77¹
> instead of what I expected Œhost/rsa01.security.lab.comcast.net¹. Does
> anyone have any idea why this would be happening? I have exact same
> configurations on RH5 boxes that will work properly and send host/FQDN...
On the client, what is the ssh command you type in?
What is in the /etc/hosts file?
What is in the krb5.conf file?
Is nsswitch.conf mapping any hosts?
What does nslookup rsa01.security.lab.comcast.net show?
Is this a private network?
Are your DNS servers doing something special and actually returning
the name as 10.242.142.77?
A Wireshark trace might show what DNS is doing here.
> Thanks.
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Mathew Rowley
>>What is in the /etc/hosts file?
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
>>What is in the krb5.conf file?
# This is kdc01.security.lab.comcast.net - client
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = COMCAST.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
COMCAST.NET = {
kdc = kdc01.security.lab.comcast.net:88
kdc = kdc02.security.lab.comcast.net:88
admin_server = kdc01.security.lab.comcast.net:749
admin_server = kdc02.security.lab.comcast.net:749
default_domain = security.lab.comcast.net
database_module = openldap_ldapconf
}
[domain_realm]
.security.lab.comcast.net = COMCAST.NET
security.lab.comcast.net = COMCAST.NET
[dbdefaults]
ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.ldap.keytab
ldap_servers = ldap://kdc01.security.lab.comcast.net
ldap_conns_per_server = 5
}
>>Is nsswitch.conf mapping any hosts?
No
>>What does nslookup rsa01.security.lab.comcast.net show?
[red@kdc01 ~]$ nslookup rsa01.security.lab.comcast.net
Server: 10.252.152.70
Address: 10.252.152.70#53
Name: rsa01.security.lab.comcast.net
Address: 10.252.152.76
>>Is this a private network?
Yes, lab environment
>>Are your DNS servers doing something special and actually returning
>>the name as 10.242.142.77?
They shouldn’t be – I configured it, just using named
Here is a tcpdump of communication with the dns server when attempting to
ssh: http://pastebin.com/m66ff7a28
I looked at the pcap in wireshark, and it seems like its doing a standard
query with a valid standard response (for A name)...
MAT
--
MAT
Douglas E. Engert
with a Host section with HostName 10.52.152.77
If so ssh might be mapping the name you gave into
in to a string with the numbers. And this is being passed
to Kerberos.
Mathew Rowley
commented out. Switching it to yes fixed the problem.
MAT
--
MAT