I successfully joined our shiny new compute cluster to our AD domain using adcli
. UID/GID lookups are done using SSSD (and pam-sss). Everything works fine, except for SSO w/GSSAPI.
For example, I would like to do the following (login1
and login2
are both servers inside the cluster):
- SSH to
login1
, using my Kerberos credentials (works) - Automatically obtain TGT (works)
- From
login1
, SSH tologin2
using GSSAPI (Does not work, falls back to password auth)
Using ssh -v login002
yields the following:
[…] debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
The following might be relevant:
- All nodes are CentOS 7.
- The name of the AD/Kerberos domain is
ad.example.com
. - The hostnames,
login1
andlogin2
, are resolved using/etc/hosts
. - The full hostnames of
login1
andlogin2
arelogin1.hpc.example.com
/login2.hpc.example.com
… - …but the DNS names of the corresponding AD objects are
login1.hpc.ad.example.com
/login2.hpc.ad.example.com
. - My
/etc/krb5.conf
has no domain-specific settings.
I suspect a DNS misconfiguration error or something missing in my /etc/krb5.conf
, but I feel like I'm in over my head this time. Does anybody know how I could get this to work?
EDIT 1: Fixed /etc/hosts
entries.
EDIT 2: Bit of success! I managed to SSH from login1
into my own computer work1.example.com
using GSSAPI—but only once I put work1
's full hostname into the /etc/hosts
file of login1
. Incidentally, my computer's local hostname, its corresponding AD object's DNS name, and the entry for it in login1
's /etc/hosts
now match.
So it seems I was right about that DNS error, though I'm still foggy on the details. Any pointers appreciated!
[link] [comments]