[Freeipa-devel] sshd, gssapi postinstall cleanup
John Dennis
jdennis at redhat.com
Wed Jan 2 21:21:00 UTC 2008
I lost my ability to ssh into one of the boxes I had IPA installed on.
I'm not currently testing IPA on that box anymore so I disabled many of
the IPA services and reset my /etc/krb5.conf file back to it's original
content (pointing to our corporate KDC). When I tried to ssh in the
connection would appear to hang, so I ran ssh in verbose mode and
discovered it was hanging while attempting GSSAPI authentication. I'm
perplexed as to why and I'm wondering if something in the IPA
installation might have done something (I believe each IPA rpm had been
installed, but only the server install script had been run). Here are
the relevant facts:
* kerberos works fine, only our corporate KDC is configured.
* disabling gssapi auth in /etc/ssh/sshd.conf makes the problem go away
(but gssapi auth is enabled by default, so disabling this is non-standard).
* local logons work
* /etc/nsswitch.conf has only "files" for passwd,shadow,group
* pam ssh points to pam system-auth
* pam system-auth is normal
* /etc/gssapi_mech.conf seems normal (?)
* the local IPA KDC is shutdown and there is no reference to it in krb5.conf
So, any ideas as to why sshd on that box would hang as it attempted
gssapi auth and how might a previous IPA install be responsible for that?
--
John Dennis <jdennis at redhat.com>
More information about the Freeipa-devel
mailing list