3

I have a situation where I am attempting to take advantage of GSSAPI (Kerberos) forwarding to connect to another Linux server that is also joined to a Windows AD and using SSSD.

The Linux machines are joined to the domain using a different machine name than the actual FQDN of the server. When I log into the first machine with my domain credentials, PAM succeeds and I'm issued a valid token. It shows up with klist. However, even after enabling GSSAPI and Kerberos logins on SSH on another linux host also joined to the domain, I still get the "Server not found in the kerberos database" client error and it falls back to using password authentication. I am passing along -K to enable the Kerberos token forwarding.

If my memory serves correctly, this is potentially due to an SPN issue in AD (the Kerberos server in this case) with the Linux machine joined with a different machine name than the actual machine's FQDN that I am connecting to (or from?) but I'm not certain and need some help pointing me in the right direction.

Thomas Farvour
  • 141
  • 1
  • 1
  • 3

1 Answers1

7

You can use the principal name known to your domain controller by passing the GSSAPIServerIdentity option to your ssh client:

-oGSSAPIServerIdentity=host.domain.com

From the ssh_config manpage:

GSSAPIServerIdentity If set, specifies the GSSAPI server identity that ssh should expect when connecting to the server. The default is unset, which means that the expected GSSAPI server identity will be determined from the target hostname.

dawud
  • 14,918
  • 3
  • 41
  • 61
  • 1
    On Fedora 30, I was able to avoid having to use the parameter described here, by removing from /etc/ssh_config the option: `GSSAPITrustDns yes` and adding to /etc/krb5.conf `dns_canonicalize_hostname = true`. I don't know why this combo works, but it does. Ref: https://bgstack15.wordpress.com/2017/12/11/fedora-27-ssh-and-default-kerberos-config/ – bgStack15 May 05 '19 at 18:36