On 28-06-18 23:39, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
> Hey,
>
> After installing a PC with Ubuntu 18.04 I'm seeing this problem with
> SSH logins. The gssapi-with-mic authentication method does not
> work anymore. Strangely enough a system that I upgraded (16.04->18.04)
> was working fine.
>
> The debug of sshd shows (fivel being the unqualified hostname):
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> No key table entry found matching host/fivel@
>
> After debugging and looking at differences between the installed and upgraded system
> I found that the new Ubuntu 18.04 installation has a slightly different krb5
configuration.
> These are:
>
> ---------8X---------8X---------8X---------8X---------
> [libdefaults]
> ...
> dns_canonicalize_hostname = false
> ...
> [domain_realm]
> ...
> fqdn = <kerberos realm>
> ---------8X---------8X---------8X---------8X---------
>
>
> Now the workaround for the login problem is to comment out
dns_canonicalize_hostname.
>
> Can anyone comment on this? Why was this changed? Why doesn't it work out of the
box?
>
This has been the setting since IPA v4.5.
OK that explains why we didn't see it with Ubuntu 16.04, which has FreeIPA 4.3
and Ubuntu 18.04 has FreeIPA 4.7
IPA generally requires that the hostname of the system be
fully-qualified. Is that the case on the working and non-working systems?
These are systems that get their IP address from a DHCP server. In /etc/hostname
we simply have their non-qualified hostname. Via DHCP they get their domain. So,
on a connected system you'd see:
$ hostname
fivel
$ hostname -f
fivel.ghs.nl
I always assumed that this was sufficient. But maybe I'm wrong.
Let me also mention that at one point we had FQDN in /etc/hostname, but that confused
the DHCP setup, because it would attach an extra domain to the hostname, like
fivel.ghs.nl.ghs.nl
--
Kees