SSH сбои аутентификации Kerberos с “Неправильным принципалом в не запрашивают/Получают удостоверений клиента” на debian, сжимают
спросите себя, ЧТО будет делать приложение
большой файловый ввод-вывод? хорошо затем модель потоков апача очень хорошо, файловый ввод-вывод блокируется
продолжительные соединения с клиентами? затем модель событий nginx является более соответствующей, сеть I/O может не блокироваться
самый честный ответ - то, что его маловероятное Вы будете поражать архитектурные пределы ЛЮБОГО веб-сервера. просто используйте то, чем Вы являетесь самыми довольными. "служебные" аргументы, направленные против модели потока апача, только значимы в сценариях интенсивного трафика.
In the sample output I see that you got a key for a debian-squeeze -- a hostname without any dots in it. This does kind of prove that you set up your reverse resolution to point to the short name. Is that really a non-FQDN name that you see, or was it edited for the question?
Kerberos should work with either, but you may to double check that the host itself thinks it is called debian-squeeze. Check that the forward -> reverse lookup inside debian-squeeze really resolves to debian-squeeze:
$ getent hosts $(hostname) | awk '{print $1; exit}' | xargs getent hosts | awk '{print $2}'
I haven't really heard of Kerberos being deployed with short names, so if you have a choice, it may be a good idea to stick with FQDNs.
Update:
The client is currently getting a key for the short name, but the server thinks it is properly named with a long name. Most likely the issue is there. Just to be sure, try the following:
Check the forward/reverse name lookup from the client. I.e.
$ getent hosts debian-squeeze | awk '{print $1; exit}' | xargs getent hosts | awk '{print $2}'The returned name is the one that the client will try to get a ticket for. Judging by your output, this is probably the short name.
Check what keys are present on the server.
$ sudo klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/debian-squeeze.realm@REALM 1 host/debian-squeeze.realm@REALM 1 host/debian-squeeze.realm@REALM 1 host/debian-squeeze.realm@REALM ...In the list you should see a principal matching the hostname from the previous command. If it's not there, then that's your problem. If it is there...
Verify the key version on the kerberos server is the same as the one on
debian-squeeze. On the client, get a key explicitly and verify the "KVNO" version at the end of the line:$ kvno host/debian-squeeze.realm host/debian-squeeze.realm@REALM: kvno = 1
At any rate, the hostname and "kvno" version in all these commands should match.
I have seen this error when /etc/hosts on the server includes an entry for its IP address that does not match what is in DNS or the keytab. Have you double checked (or removed) all the non-localhost entries from /etc/hosts?