|
Kerberos keytab and Virtual IPs
Hi All,
I use kerberos and SSSD for Active Directory authentication for our CentOS6 hosts. We also use GSSAPI for SSH to delegate authentication with the kerberos ticket so we don't need to use SSH keys. The issue I am running into is if I ssh to the hostname, passwordless authentication works great using GSSAPI. If I ssh to a virtual IP on the server GSSAPI complains that the host is not in the kerberos database. I also have separate/different A records for my Virtual IP's. This is my original keytab. # Note I have replaced my real domain name with MYDOMAIN for security reasons. $ sudo klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (arcfour-hmac) I have tried adding entries to the keytab using ktutil for example: add_entry -key -p host/sql01.u.m4.mydomain.com -k 2 -e arcfour-hmac As you can see I have tried every combination of this. Note sql01.u.m4.mydomain.com is on the same system as m4deploy01.m4.mydomain.com Just a different A record pointing to a virtual IP on the system. I have also added an Active Directory computer called "sql01" Just like I have "m4deploy01" in active directory. $ sudo klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/*.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/*.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/*.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/*@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/*@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/*@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/*$@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/*$@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/*$@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/*.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/*.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/*.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/sql01.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/sql01.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 host/sql01.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/SQL01@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 host/SQL01@RHELM.MYDOMAIN.COM (arcfour-hmac) 2 host/SQL01@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 SQL01$@RHELM.MYDOMAIN.COM (des-cbc-crc) 2 SQL01$@RHELM.MYDOMAIN.COM (des-cbc-md5) 2 SQL01$@RHELM.MYDOMAIN.COM (arcfour-hmac) Does anyone know how I can make this work. We really want to get away from ssh keys. Addition information: ~$ rpm -qa | egrep 'krb|sssd' sssd-client-1.8.0-32.el6.x86_64 pam_krb5-2.3.11-9.el6.x86_64 krb5-libs-1.9-33.el6_3.2.x86_64 krb5-devel-1.9-33.el6_3.2.x86_64 python-krbV-1.0.90-3.el6.x86_64 sssd-1.8.0-32.el6.x86_64 krb5-workstation-1.9-33.el6_3.2.x86_64 uname -a 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/redhat-release CentOS release 6.3 (Final) Thank you. |
| All times are GMT -5. The time now is 06:59 AM. |