I have a situation where I am attempting to take advantage of GSSAPI (Kerberos) forwarding to connect to another Linux server that is also joined to a Windows AD and using SSSD.
The Linux machines are joined to the domain using a different machine name than the actual FQDN of the server. When I log into the first machine with my domain credentials, PAM succeeds and I'm issued a valid token. It shows up with klist
. However, even after enabling GSSAPI and Kerberos logins on SSH on another linux host also joined to the domain, I still get the "Server not found in the kerberos database" client error and it falls back to using password authentication. I am passing along -K
to enable the Kerberos token forwarding.
If my memory serves correctly, this is potentially due to an SPN issue in AD (the Kerberos server in this case) with the Linux machine joined with a different machine name than the actual machine's FQDN that I am connecting to (or from?) but I'm not certain and need some help pointing me in the right direction.
Best Answer
You can use the principal name known to your domain controller by passing the
GSSAPIServerIdentity
option to yourssh
client:From the
ssh_config
manpage: