I have CentOS 6 server that has been joined to Active Directory using Samba and net ads join -k.
It thus has a keytab like this:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/myhost.ad.example.com@AD.EXAMPLE.COM
1 host/myhost.ad.example.com@AD.EXAMPLE.COM
1 host/myhost.ad.example.com@AD.EXAMPLE.COM
1 host/myhost.ad.example.com@AD.EXAMPLE.COM
1 host/myhost.ad.example.com@AD.EXAMPLE.COM
1 host/MYHOST@AD.EXAMPLE.COM
1 host/MYHOST@AD.EXAMPLE.COM
1 host/MYHOST@AD.EXAMPLE.COM
1 host/MYHOST@AD.EXAMPLE.COM
1 host/MYHOST@AD.EXAMPLE.COM
1 MYHOST$@AD.EXAMPLE.COM
1 MYHOST$@AD.EXAMPLE.COM
1 MYHOST$@AD.EXAMPLE.COM
1 MYHOST$@AD.EXAMPLE.COM
1 MYHOST$@AD.EXAMPLE.COM
Using OpenSSH and pam_krb5, I can also authenticate with GSSAPI when the reverse DNS lookup is myhost.ad.example.com. So far so good.
Now, the thing is that for various reasons I'd like the reverse DNS lookup for the server to be myhost.example.org. Is this even possible?
"host/myhost.example.org@AD.EXAMPLE.COM" should be a perfectly valid Kerberos principal, but if I try adding myhost.example.org as a service principal name in Active Directory, net ads join -k fails with "failed to set machine spn: Constraint violation".
If I try adding PTR records for both myhost.ad.example.com and myhost.example.org I get the interesting behaviour that I can log in with GSSAPI every other attempt.
http://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html has a number of suggestions. I've tried adding "rdns = false" (krb5.conf) on the client, and "ignore_acceptor_hostname = true" (krb5.conf) and "GSSAPIStrictAcceptorCheck no" (sshd_config) on the server. It doesn't appear to make any difference at all.
Best Answer
This is a realm mapping issue. Your hosts are likely being mapped to no realm at all.
Use either
/etc/krb5.confor preferably the DNS equivalent