[Authentication] Additional hostnames in SPNs using 'adcli update' or 'adcli join'
Sumit Bose
sbose at redhat.com
Thu Apr 14 13:13:18 UTC 2016
On Thu, Apr 14, 2016 at 02:49:12PM +0200, Patrice Peterson wrote:
> Hi,
>
> we have a compute cluster that is part of our Active Directory domain.
> We would like to be able to SSH between all cluster nodes using SSH's
> GSSAPI auth mechanism. However, the login node poses a bit of trouble:
> The compute nodes reach it as
> "login001.cluster-internal.ad.example.com", while the users reach the
> login node from a different network interface, using
> "cluster1.ad.example.com". The hostname of the login node is also
> 'cluster1.ad.example.com'.
>
> I am fairly sure I can achieve that by adding both SPNs,
> 'host/login001.cluster-internal.ad.example.com' and
> 'host/cluster1.ad.example.com' to the keytab. However, I wasn't able to
> create such a keytab when using the '--service-name' switch for adcli,
> as that only allows me to add another service and not another hostname.
>
> Is there a way to do this with just adcli, or do I have to generate the
> Keytab on a Windows machine with the help of our domain administrator?
>
> Thanks for any help!
I think the GSSAPIStrictAcceptorCheck option of sshd is want you are
looking for, see man sshd_config for details. By setting it to 'no' sshd
should accept different names as well.
HTH
bye,
Sumit
>
> - Patrice
>
> --
> Patrice Peterson
> Referent für HPC-Anwendungen
> Martin-Luther-Universität Halle-Wittenberg
> IT-Servicezentrum, Raum E.09.0
> Kurt-Mothes-Straße 1
> 06120 Halle (Saale)
> Telefon: 0345-55 21864
>
>
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/authentication
More information about the Authentication
mailing list