Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-13-2011, 04:38 AM
|
#1
|
Member
Registered: Oct 2006
Posts: 302
Rep:
|
ssh, kerberos and DNS
Hallo:
I use CentOS 5.5 joined to Active Directory Win2003 (ADS).
I use ADS to authenticate users.
Works fine:
- Share folders.
- ssh with user/pass from ADS.
But have a problem with SSO.
When a user of ADS starts a session, a kerberos ticket is created. So he can use that ticket to start sessions on another computer with that username.
As I've added system to ADS, only direct name/IP has been added.
If I've started a session with a user of ADS called userda1 then I can start a new session with:
ssh server.domain
The problem is that this works if I do a new connection with current host, but not to another computer.
What I've checked is that it's due to a problem of DNS.
If I add the IP of target host to /etc/hosts, then it works fine. else, it doesn't work.
Another option is to register reverse IP in DNS, but that can give me problems with another services (due to I use the IP with different names).
Can any tell me how can I say to ssh client not to check reverse IP.
Tried modifying /etc/ssh_config with:
CheckHostIP no
But still I receive a message with:
Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.18.127.134.
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
and I'm asked for user/pass.
Thanks
Last edited by Felipe; 04-13-2011 at 04:40 AM.
|
|
|
04-18-2011, 10:31 AM
|
#2
|
Member
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 525
Rep:
|
Hi Felipe,
What are the DNS settings on your CentOS 5.5 server?
My suggestion would be to have it points to the same DNS server as the one used by the Windows machines in the Windows 2000 AD.
Post back the content of
/etc/resolv.conf:
search your_windows_2000_domain
nameserver the_ip_address_of_your_windows_2000_domain_first_dns_server
nameserver the_ip_address_of_your_windows_2000_domain_second_dns_server
Regards,
Tshimanga.
|
|
|
04-18-2011, 03:56 PM
|
#3
|
Member
Registered: Oct 2006
Posts: 302
Original Poster
Rep:
|
As I've told you, mi resolv.conf has as dns servers the domain controllers of Active Directory (ADS).
It works fine and it solves direct and reverse ip/name of computers.
But for Kerberos purposes, I have to add the reverse IP of my computer to DNS of ADS. Windows computers are added to ADS only with name/IP, not reverse, and kerberos works fine.
In Linux servers I've to add direct/reverse IP to DNS to work kerberos. So I suppose I'm doing something wrong and I suppose that will be a way to do kerberos work without adding reverse IP to DNS.
As my servers have more names (depending of the services it serves), some of them can give me problems if I add reverse IP, as some of them check direct and reverse and will see they are not the same. So won't work.
Not sure if I've explained it well, but the only I look for is to "do kerberos work without adding reverse IP to DNS".
Any suggestion?
Thanks
|
|
|
All times are GMT -5. The time now is 11:28 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|