I think SSSD has features to get around this kind of stuff. On 22 June 2015 at 18:43, Greg Hudson <ghud...@mit.edu> wrote:
> On 06/22/2015 06:53 AM, Gsandtner Michael wrote: > > We want to connect with ssh via kerberos. The host's name resolves to > one IP address, but the IP address resolves to two names (this is a > required DNS configuration): > > # nslookup vmlxsuche1test > > Name: vmlxsuche1test.host.magwien.gv.at > > Address: 10.153.92.100 > > > > # nslookup 10.153.92.100 > > 100.92.153.10.in-addr.arpa name = vmlxsuche1test.host.magwien.gv.at > . > > 100.92.153.10.in-addr.arpa name = zktest.host.magwien.gv.at. > > > > ssh sometimes work, sometimes does not (falls back to authentication > method: password). > > In both cases the credential cache on the client looks equal (got a TGS > for both names): > > ssh GSSAPI krb5 userauth does not work well when there are multiple > possible results for hostname canonicalization. For unfortunate > historical reasons, MIT krb5 defaults to reverse-resolving the IP > address when canonicalizing hostnames. > > For this situation, I believe adding "rdns = false" to the [libdefaults] > section in krb5.conf should resolve the issue. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
