Kerberos: Wrong principal / realm for ssh-server login on a server in a subdomain

by M.K. aka Grisu   Last Updated September 11, 2019 16:00 PM - source

I currently try so setup the kerberos auth on a server living in a sub domain "sub.example.com". The KDC manages EXAMPLE.COM together with a dns server which manages 'example.com'. Due to organizational reasons we have a subdomain 'sub.example.com' for some servers (server1.sub.example.com). This subdomain is managed by a separate DNS server. There, the Kerberos login via pam works fine on this server using the following /etc/krb5.conf file:

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
        default_realm = EXAMPLE.COM
        clockskew = 300
        ticket_lifetime = 2days
        renew_lifetime = 365days
        renewable = true
        forwardable = true

[realms]
        EXAMPLE.COM = {
                kdc = kerberos.example.com
        }

If I now connect with enabled Kerberos using kerberized ssh, I get

$ssh -vvv server1.sub.example.com
...
debug1: Unspecified GSS failure.  Minor code may provide more information
Server krbtgt/[email protected] not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information
Server krbtgt/[email protected] not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information


debug3: send packet: type 50
...

and return to password login. How can I convince kerberos/ssh to use krbtgt/[email protected] instead of krbtgt/[email protected] for the servers inside the subdomain.



Related Questions






Web server with single sign-on

Updated May 16, 2017 22:00 PM