Re: Weird behaviour: what's going on?
From: Richard E. Silverman (res_at_qoxp.net)
Date: 14 Jul 2005 00:26:18 -0400
> On 2005-07-13 07:04:02 -0500, "Richard E. Silverman" <firstname.lastname@example.org> said:
> > First, regardless of what the server is doing, your client is trying to
> > use Kerberos for the key exchange:
> Yes, but that's not a problem, since there's a problem with DNS...
The use of Kerberos is the reason your client needs to do the reverse
lookup in the first place; it would not need to do it otherwise.
> > It is, and it will use it in case you have a ticket so I can delegate
> > credential and use a passwordless login, but this is not the case: I'm
> > not using kerberos on this client now.
You are mistaken. This:
> >> gssapi debug1: Next authentication method: gssapi
> >> debug2: we sent a gssapi packet, wait for reply
... shows that your client has obtained a ticket for the remote service,
and sent it. The gssapi key exchange code insists on canonicalizing the
name, whereas the userauth code does not; hence, the lack of a reverse
mapping will block the Kerberos key exchange while Kerberos user
authentication can still work (assuming the hostname you give is in fact
the one in the server's principal name).
> It doesn't matter whether you've touched it or not; it's clearly not
> working. Your reverse lookups are timing out.
> > Ok, now the question is (yes, I'm paranoid): which DNS? The client side
> > or the server side DNS?
It is the client's reverse lookup of the server name that is failing.
-- Richard Silverman email@example.com