[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: AW: multihomed IP address
From: Gsandtner Michael <michael.gsandtner () wien ! gv ! at>
Date: 2015-06-23 6:02:13
Message-ID: CDB785DEF421B94BA51F34F0FA19D7BD53BAF319 () ntex2010a ! host ! magwien ! gv ! at
[Download RAW message or body]
This indeed solves our problem.
Many thanks, best regards --Michael Gsandtner
-----Ursprüngliche Nachricht-----
Von: Greg Hudson *EXTERN* [mailto:ghudson@mit.edu]
Gesendet: Montag, 22. Juni 2015 18:44
An: Gsandtner Michael; 'kerberos@mit.edu'
Cc: Weber Sylvia
Betreff: Re: multihomed IP address
On 06/22/2015 06:53 AM, Gsandtner Michael wrote:
> We want to connect with ssh via kerberos. The host's name resolves to one IP \
> address, but the IP address resolves to two names (this is a required DNS \
> configuration): # nslookup vmlxsuche1test
> Name: vmlxsuche1test.host.magwien.gv.at
> Address: 10.153.92.100
>
> # nslookup 10.153.92.100
> 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at.
> 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at.
>
> ssh sometimes work, sometimes does not (falls back to authentication method: \
> password). In both cases the credential cache on the client looks equal (got a TGS \
> for both names):
ssh GSSAPI krb5 userauth does not work well when there are multiple
possible results for hostname canonicalization. For unfortunate
historical reasons, MIT krb5 defaults to reverse-resolving the IP
address when canonicalizing hostnames.
For this situation, I believe adding "rdns = false" to the [libdefaults]
section in krb5.conf should resolve the issue.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic