I successfully joined our shiny new compute cluster to our AD domain using adcli. UID/GID lookups are done using SSSD (and pam-sss). Everything works fine, except for SSO w/GSSAPI.
For example, I would like to do the following (login1 and login2 are both servers inside the cluster):
- SSH to
login1, using my Kerberos credentials (works) - Automatically obtain TGT (works)
- From
login1, SSH tologin2using GSSAPI (Does not work, falls back to password auth)
Using ssh -v login002 yields the following:
[…] debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database The following might be relevant:
- All nodes are CentOS 7.
- The name of the AD/Kerberos domain is
ad.example.com. - The hostnames,
login1andlogin2, are resolved using/etc/hosts. - The full hostnames of
login1andlogin2arelogin1.hpc.example.com/login2.hpc.example.com… - …but the DNS names of the corresponding AD objects are
login1.hpc.ad.example.com/login2.hpc.ad.example.com. - My
/etc/krb5.confhas no domain-specific settings.
I suspect a DNS misconfiguration error or something missing in my /etc/krb5.conf, but I feel like I'm in over my head this time. Does anybody know how I could get this to work?
EDIT 1: Fixed /etc/hosts entries.
EDIT 2: Bit of success! I managed to SSH from login1 into my own computer work1.example.com using GSSAPI—but only once I put work1's full hostname into the /etc/hosts file of login1. Incidentally, my computer's local hostname, its corresponding AD object's DNS name, and the entry for it in login1's /etc/hosts now match.
So it seems I was right about that DNS error, though I'm still foggy on the details. Any pointers appreciated!
[link] [comments]