Stack trace dor gssapi-with-mic
Sergio Gelato
Sergio.Gelato at astro.su.se
Mon Apr 20 17:47:26 EST 2009
* Ted Creedon [2009-04-19 14:52:45 -0700]:
> I think there are two problems:
> 1. geronimo.creedon.biz reverse dnslookups as a comcast uri (its on a
> comcast dhcp line) - the forward dns is set up using dyndns. Look at the
> garbled klist below..
Both the stack trace and the garbled klist point to a serious problem
with the installation of MIT Kerberos on redcloud. (I assume your klist is
MIT Kerberos like the libraries ssh is linked against.) The DNS forward/reverse
mismatch is not a sufficient explanation for that klist output; a
corrupt credentials cache is more likely. (The timestamps look correct,
though; only the principals for that second ticket don't make sense.)
Try purging and reinstalling the Kerberos RPMs on redcloud. If this
were a fundamental problem with SuSE 10.1 I'd think it would have been
reported by others.
Check also the contents of /etc/krb5.conf.
Try testing basic Kerberos functionality independently of ssh.
For example, does aklog work for you? If it does, then maybe only the
GSSAPI library (which aklog doesn't use) is bad.
> redcloud:~ # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root at CREEDON.BIZ
>
> Valid starting Expires Service principal
> 04/19/09 14:42:40 04/19/09 15:42:40 krbtgt/CREEDON.BIZ at CREEDON.BIZ
> renew until 04/19/09 15:42:40
> 04/19/09 14:43:00 04/19/09 15:42:40 /\@UW\0\0\0\0\0ST.NET at UW\0\0\0\0\0BIZ
> for client @GW\0\0\0\0\0BIZ, renew until 04/19/09 15:42:40
>
More information about the openssh-unix-dev
mailing list