10:21 a.m.
Hi list,
I have noticed that there is a slight difference in host principals when joining to AD
using "net" command or via "adcli/realm".
All commands generates the short version (i.e. as per "hostname -s") in capital
letters in AD, but in local kerberos keytab, the "net" command generates all
"host/" principals lower case, but "adcli" generates then upper case -
which renders kerberized access via ssh unusable in case we specify hostname without the
domain suffix:
# cat /etc/hostname
Myshostname
Question, why do you convert the short hostname to uppercase? Why is sshd so picky about
lower/upper cases for the host principals in Kerberos keytab?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
2:02 p.m.
New subject: host principal generated by "net" command vs "adcli/realm"
On Tue, Aug 21, 2018 at 03:21:27PM +0000, Ondrej Valousek wrote:
Hi list,
I have noticed that there is a slight difference in host principals when joining to AD
using "net" command or via "adcli/realm".
All commands generates the short version (i.e. as per "hostname -s") in capital
letters in AD, but in local kerberos keytab, the "net" command generates all
"host/" principals lower case, but "adcli" generates then upper case -
which renders kerberized access via ssh unusable in case we specify hostname without the
domain suffix:
# cat /etc/hostname
Myshostname
Question, why do you convert the short hostname to uppercase? Why is sshd so picky about
lower/upper cases for the host principals in Kerberos keytab?
I cannot say why adcli behaves this way. I haven't checked this but
maybe Windows clients use the upper-case version as well when joining?
I guess it is not sshd being picky but libkrb5. Kerberos principal
names are case sensitive according to the related RFCs in libkrb5 is
implemented this way. AD on the other hand treats Kerberos principals
case insensitive.
Have you tried to set 'GSSAPIStrictAcceptorCheck = no' in
/etc/ssh/sshd_config? Its purpose is a bit different but maybe it covers
cases as well.
bye,
Sumit
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
2072
days inactive
2074
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Ondrej Valousek -
Sumit Bose