[32703] in Kerberos
Re: "Negative cache rejected lookup for" host/princ when using GSSAPI
daemon@ATHENA.MIT.EDU (Jonathan Simms)
Wed Sep 22 21:53:45 2010
MIME-Version: 1.0
In-Reply-To: <AANLkTikvwmgfZ5sksFhQb0AtR+4w3BHovYJs58AP__+p@mail.gmail.com>
Date: Wed, 22 Sep 2010 21:53:41 -0400
Message-ID: <AANLkTikbvbjDpPRbstWCsOUJJfH8HVkOdOVo5_XHVvH0@mail.gmail.com>
From: Jonathan Simms <slyphon@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Sep 22, 2010 at 9:43 PM, Jonathan Simms <slyphon@gmail.com> wrote:> I found only one reference to the string "Negative cache rejected> lookup for" searching google for information, so I figured I'd ask> here. I'm connecting from a Mac OS X 10.6 box to a Debian 5 install. I> am kinited on osx, and try to ssh to to the debian box, i get the> following error message in the debug output:>> debug1: Unspecified GSS failure. Minor code may provide more information> Negative cache rejected lookup for 'host/$FQDN@$REALM'>> debug1: Unspecified GSS failure. Minor code may provide more information> Server not found in Kerberos database>> debug1: Unspecified GSS failure. Minor code may provide more information>>> When I ssh to another box and kinit there, then ssh over to the same> host, it does the GSS exchange fine, forwards my credentials, and i> see the host's ticket when i do klist.>> Any clue what this negative cache is on OS-X and how to clear it? The> only reference I found was> http://eyck.forumakad.pl/~eyck/log/Tips/Kerberos.Negative.Cache.Rejected.Lookup.html> and I'd rather not reboot my box if i can help it :)>> -- Jonathan>
Looking at the kdc logs, it seems that I got an UNKNOWN_SERVERresponse for the host I was trying to connect to (cfengine hadn't setup the principal yet). After setting up the principal and confirmingin kadmin that it did indeed exist, I tried sshing again, and noticedthat in the kdc logs, OS-X didn't even attempt to get a key for thehost. It seems CCacheServer (I'm guessing) is caching the negativereply. Is there any way of tuning this behavior?
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
