Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I use CentOS 5.5 joined to Active Directory Win2003 (ADS).
I use ADS to authenticate users.
Works fine:
- Share folders.
- ssh with user/pass from ADS.
But have a problem with SSO.
When a user of ADS starts a session, a kerberos ticket is created. So he can use that ticket to start sessions on another computer with that username.
As I've added system to ADS, only direct name/IP has been added.
If I've started a session with a user of ADS called userda1 then I can start a new session with:
ssh server.domain
The problem is that this works if I do a new connection with current host, but not to another computer.
What I've checked is that it's due to a problem of DNS.
If I add the IP of target host to /etc/hosts, then it works fine. else, it doesn't work.
Another option is to register reverse IP in DNS, but that can give me problems with another services (due to I use the IP with different names).
Can any tell me how can I say to ssh client not to check reverse IP.
Tried modifying /etc/ssh_config with:
CheckHostIP no
But still I receive a message with:
Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.18.127.134.
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
What are the DNS settings on your CentOS 5.5 server?
My suggestion would be to have it points to the same DNS server as the one used by the Windows machines in the Windows 2000 AD.
Post back the content of
As I've told you, mi resolv.conf has as dns servers the domain controllers of Active Directory (ADS).
It works fine and it solves direct and reverse ip/name of computers.
But for Kerberos purposes, I have to add the reverse IP of my computer to DNS of ADS. Windows computers are added to ADS only with name/IP, not reverse, and kerberos works fine.
In Linux servers I've to add direct/reverse IP to DNS to work kerberos. So I suppose I'm doing something wrong and I suppose that will be a way to do kerberos work without adding reverse IP to DNS.
As my servers have more names (depending of the services it serves), some of them can give me problems if I add reverse IP, as some of them check direct and reverse and will see they are not the same. So won't work.
Not sure if I've explained it well, but the only I look for is to "do kerberos work without adding reverse IP to DNS".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
