Hi list,
I have noticed that there is a slight difference in host principals when joining to AD using "net" command or via "adcli/realm". All commands generates the short version (i.e. as per "hostname -s") in capital letters in AD, but in local kerberos keytab, the "net" command generates all "host/" principals lower case, but "adcli" generates then upper case - which renders kerberized access via ssh unusable in case we specify hostname without the domain suffix: # cat /etc/hostname Myshostname
Question, why do you convert the short hostname to uppercase? Why is sshd so picky about lower/upper cases for the host principals in Kerberos keytab? Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, Aug 21, 2018 at 03:21:27PM +0000, Ondrej Valousek wrote:
Hi list,
I have noticed that there is a slight difference in host principals when joining to AD using "net" command or via "adcli/realm". All commands generates the short version (i.e. as per "hostname -s") in capital letters in AD, but in local kerberos keytab, the "net" command generates all "host/" principals lower case, but "adcli" generates then upper case - which renders kerberized access via ssh unusable in case we specify hostname without the domain suffix: # cat /etc/hostname Myshostname
Question, why do you convert the short hostname to uppercase? Why is sshd so picky about lower/upper cases for the host principals in Kerberos keytab?
I cannot say why adcli behaves this way. I haven't checked this but maybe Windows clients use the upper-case version as well when joining?
I guess it is not sshd being picky but libkrb5. Kerberos principal names are case sensitive according to the related RFCs in libkrb5 is implemented this way. AD on the other hand treats Kerberos principals case insensitive.
Have you tried to set 'GSSAPIStrictAcceptorCheck = no' in /etc/ssh/sshd_config? Its purpose is a bit different but maybe it covers cases as well.
bye, Sumit
Thanks,
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
sssd-users@lists.fedorahosted.org